I suspect that there might by something wrong with the BomJsonGenerator14.
It does not output hashes which are part of external references.

Steps to reproduce

The following complete Java program, using

• cyclonedx-core-java v7.1.5
• Windows 10 64bit
• Java 8

import java.util.Arrays;

import org.cyclonedx.generators.json.BomJsonGenerator14;
import org.cyclonedx.model.Bom;
import org.cyclonedx.model.Component;
import org.cyclonedx.model.ExternalReference;
import org.cyclonedx.model.Hash;


class Scratch
{
    public static void main(String[] args)
    {
        ExternalReference extRef = new ExternalReference();
        extRef.setType(ExternalReference.Type.BOM);
        extRef.setUrl("https://example.org/support/sbom/portal-server/1.0.0");
        extRef.setComment("An external SBOM that describes what this component includes");
        Hash md5 = new Hash(Hash.Algorithm.MD5, "2cd42512b65500dc7ba0ff13490b0b73");
        Hash sha1 = new Hash(Hash.Algorithm.SHA1, "226247b40160f2892fa4c7851b5b913d5d10912d");
        Hash sha256 = new Hash(Hash.Algorithm.SHA_256, "09a72795a920c1a9c0209cfb8395f8d97089832d249cba8c0938a3423b3ed1d1");
        extRef.setHashes(Arrays.asList(md5, sha1, sha256));

        Component component = new Component();
        component.setGroup("org.example");
        component.setName("mylibrary");
        component.setType(Component.Type.LIBRARY);
        component.setVersion("1.0.0");
        component.addExternalReference(extRef);

        Bom bom = new Bom();
        bom.addComponent(component);

        String json = new BomJsonGenerator14(bom).toJsonString();
        System.out.println(json);
    }
}

Here's the actual output (green) vs. the expected output (red):

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "version" : 1,
  "components" : [
    {
      "group" : "org.example",
      "name" : "mylibrary",
      "version" : "1.0.0",
      "externalReferences" : [
        {
          "type" : "bom",
          "url" : "https://example.org/support/sbom/portal-server/1.0.0",
-          "comment" : "An external SBOM that describes what this component includes",
+          "comment" : "An external SBOM that describes what this component includes"
-          "hashes" : [
-            {
-              "alg" : "MD5",
-              "content" : "2cd42512b65500dc7ba0ff13490b0b73"
-            }, {
-              "alg" : "SHA-1",
-              "content" : "226247b40160f2892fa4c7851b5b913d5d10912d"
-            }, {
-              "alg" : "SHA-256",
-              "content" : "09a72795a920c1a9c0209cfb8395f8d97089832d249cba8c0938a3423b3ed1d1"
-            }
-          ]
        }
      ],
      "type" : "library"
    }
  ]
}

I found some test data which indicates that my code above should work, but it seems the corresponding tests only test parsing it, not generating. When I look at the objects in a debugger just before serialization, they look fine and include the hashes. However, the generated JSON does not include the hashes.

Please let me know if you need anything else or if I can assist somehow. Thanks for looking into this!

The root bom and individual components can be signed.

This enhancement request is to:

• Add support for signing the bom element and individual component elements
• Add verification of all signatures in the bom (the root bom and all components)
• Support XML Signature (via JSR 105) and JSON Signature Format(webpki.org) for inline signing cases
• Support document signatures using JSON Web Signature (jose4j?)

The Dependency class does not seem to match the JSON documentation on dependencies where the object has a property dependsOn. In the implementation of the model, there is a list of Dependencies which seems to create a circular reference.

Is there a way to access the Depends on or is there an issue with the Model implementation?

It seems that since the resolution of #26 calls to bomParser.validate(bomFile) fail with

org.xml.sax.SAXParseException; systemId: file:/tmp/tmp1313740032155659095.tmp; lineNumber: 51; columnNumber: 70; cvc-attribute.3: The value 'UTF-8' of attribute 'encoding' on element 'text' is not valid with respect to its type, 'encoding'.

I would like to see an improved release process...

• Releases populated with release notes. This will help repo watchers who configure customise events for "Releases" only.

• CHANGELOG.md updated for every release (or replaced by the usage of release notes?)

• Improved uses of semantic versioning. Should not the additions to license mapping in 7.1.4 have warranted a minor release (7.2.0) instead of a patch release?

All of the above are used by dependabot PRs that update cyclonedx-core-java in downstream projects. Thus, addressing release notes (and/or changelog) should make a dependabot PR easier to review and approve. A difference in patch vs minor version can change the way that dependabot itself works.

As an additional justification, a wee story....

The release of cyclonedx-core-java-7.1.4 caused problems for me when it was included in cyclonedx-maven-plugin 2.7.0 and then BOMs generated using that release of the plugin resulted in displayed "License" in Dependency-Track to change for some components

Affected components were ones that use dual licensing and where one of the licenses now started to succesfully map to an SPDX license ID. Dependency-Track 4.5.0 does not support dual licences in the UI and prefers the ID over name. Hence the change of what license gets displayed. This caused me to spend a couple of hours investigating why things had changed. Bear in mind that the changes might have resulted in a policy violation.

Sorry for this more question-type kind of issue, but I'm currently trying to understand how you would associate a particular copyright holder with a particular license in CycloneDX. The component model has distinct field for license and copyrights:

So suppose a single component is licensed under both BSD and MIT, and the BSD licensed part has "Copyright bsd-guy" and the MIT licensed part has "Copyright MIT-guy". How would you properly reflect that in the data model as there's only a single copyright string?

Thanks very much for your help.

Tested at 5.0.4.
The "dependencies" issue has been resolved.
However, the "vulnerabilities" issue remains.

If I describe vulnerability information in sbom,
The value of the "vulnerabilities" does not appear in the json format.
Like this,

  ],
  "vulnerabilities"
}

Please fix~~!!!

Resolved in v5.0.4

Originally posted by @stevespringett in #138 (comment)

SPDX Tools was removed from Java Core v3.0.0 due to introducing a lot of unnecessary dependencies and requiring Internet access by default (could be disabled via system property: SPDXParser.OnlyUseLocalLicenses).

Since the removal of SPDX Tools, CycloneDX Java Core had to implement the SPDX license list (json) as well as license text from the SPDX project. This enhancement request is to add support for SPDX license expressions, which is no longer possible in v3.0.0, back into this library.

There's a potential to introduce a standalone library that provides all of this functionality - similar to SPDX Tools - but without all the extras that go along with it. Possibly similar to https://github.com/nexB/license-expression

A media types class should be created that holds static strings of these media types:

https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+xml
https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+json

Dependency-Track user attempting to upload a BOM with pedigree, was unable to do so. The sample BOM was pulled directly from the CycloneDX website and is a valid example. The following exception was thrown:

org.cyclonedx.exception.ParseException: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `org.cyclonedx.model.Component$Type` from String "enhancement": not one of the values accepted for Enum class: [application, container, device, library, file, framework, operating-system, firmware]
 at [Source: (byte[])"<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3"
     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
     version="1">
    <components>
        <component type="library">
            <group>com.acme</group>
            <name>sample-library</name>
            <version>1.0.0</version>
            <pedigree>
                <ancestors>
                    <!-- The component from which com.acme's modified
                    version of sample-libr"[truncated 4119 bytes]; line: 47, column: 29] (through reference chain: org.cyclonedx.model.Bom["components"]->java.util.ArrayList[1]->org.cyclonedx.model.Component["type"])
	at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:89)
	at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:89)
	at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:99)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `org.cyclonedx.model.Component$Type` from String "enhancement": not one of the values accepted for Enum class: [application, container, device, library, file, framework, operating-system, firmware]
 at [Source: (byte[])"<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3"
     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
     version="1">
    <components>
        <component type="library">
            <group>com.acme</group>
            <name>sample-library</name>
            <version>1.0.0</version>
            <pedigree>
                <ancestors>
                    <!-- The component from which com.acme's modified
                    version of sample-libr"[truncated 4119 bytes]; line: 47, column: 29] (through reference chain: org.cyclonedx.model.Bom["components"]->java.util.ArrayList[1]->org.cyclonedx.model.Component["type"])
	at com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67)
	at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:1851)
	at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1079)
	at com.fasterxml.jackson.databind.deser.std.EnumDeserializer._deserializeAltString(EnumDeserializer.java:327)
	at com.fasterxml.jackson.databind.deser.std.EnumDeserializer._fromString(EnumDeserializer.java:214)
	at com.fasterxml.jackson.databind.deser.std.EnumDeserializer.deserialize(EnumDeserializer.java:188)
	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:324)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:225)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:197)
	at com.fasterxml.jackson.dataformat.xml.deser.WrapperHandlingDeserializer.deserialize(WrapperHandlingDeserializer.java:121)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:347)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:324)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:187)
	at com.fasterxml.jackson.dataformat.xml.deser.WrapperHandlingDeserializer.deserialize(WrapperHandlingDeserializer.java:121)
	at com.fasterxml.jackson.dataformat.xml.deser.XmlDeserializationContext.readRootValue(XmlDeserializationContext.java:91)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4593)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3609)
	at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:87)

Need to rework unit tests to account for all valid examples in the specification repo. This library should be able to deserialize every single valid example without errors.

With this addition to license mappings in PR #195

The consequence is that the component antlr4 now maps to BSD-4-Clause when the intention of the antlr project is the the license should beBSD-3-Clause.

See LICENSE.txt

From antlr4 POM:

    <licenses>
        <license>
            <name>The BSD License</name>
            <url>http://www.antlr.org/license.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>

So, is this a problem with cyclonedx-core-java license mapping, or is it a problem with antlr4 POM?

The consequence of thinking that a BSD-3-Clause is actually BSD-4-Clause is that the latter:

• Adds an "advertising clause" that requires an acknowledgment of the original source in all advertising material.
• Was rescinded in 1999
• Is not OSI-approved.

Hello!

With the latest 2.4.0 version our builds breaks due to connection time out regarding validation json schemata.

Is there a possiblitiy to deactiveate the validation?

Thanks!

build 02-Apr-2021 09:31:40 java.net.ConnectException: Operation timed out build 02-Apr-2021 09:31:40 at sun.nio.ch.Net.connect0 (Native Method) build 02-Apr-2021 09:31:40 at sun.nio.ch.Net.connect (Net.java:493) build 02-Apr-2021 09:31:40 at sun.nio.ch.Net.connect (Net.java:482) build 02-Apr-2021 09:31:40 at sun.nio.ch.NioSocketImpl.connect (NioSocketImpl.java:588) build 02-Apr-2021 09:31:40 at java.net.Socket.connect (Socket.java:585) build 02-Apr-2021 09:31:40 at java.net.Socket.connect (Socket.java:534) build 02-Apr-2021 09:31:40 at sun.net.NetworkClient.doConnect (NetworkClient.java:182) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.openServer (HttpClient.java:474) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.openServer (HttpClient.java:569) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.<init> (HttpClient.java:242) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.New (HttpClient.java:341) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.New (HttpClient.java:362) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient (HttpURLConnection.java:1248) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.plainConnect0 (HttpURLConnection.java:1187) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.plainConnect (HttpURLConnection.java:1081) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.connect (HttpURLConnection.java:1015) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1587) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1515) build 02-Apr-2021 09:31:40 at com.networknt.schema.uri.URLFetcher.openConnectionCheckRedirects (URLFetcher.java:57) build 02-Apr-2021 09:31:40 at com.networknt.schema.uri.URLFetcher.fetch (URLFetcher.java:43) build 02-Apr-2021 09:31:40 at com.networknt.schema.uri.URISchemeFetcher.fetch (URISchemeFetcher.java:50) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaFactory.getSchema (JsonSchemaFactory.java:337) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.getRefSchema (RefValidator.java:83) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.<init> (RefValidator.java:46) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance (NativeConstructorAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance (DelegatingConstructorAccessorImpl.java:45) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstanceWithCaller (Constructor.java:500) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstance (Constructor.java:481) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidatorTypeCode.newValidator (ValidatorTypeCode.java:131) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonMetaSchema.newValidator (JsonMetaSchema.java:351) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidationContext.newValidator (ValidationContext.java:54) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.read (JsonSchema.java:206) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.getValidators (JsonSchema.java:356) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:227) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.BaseJsonValidator.validate (BaseJsonValidator.java:96) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:234) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:219) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:124) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.isValid (JsonParser.java:267) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.createBom (BaseCycloneDxMojo.java:798) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.execute (BaseCycloneDxMojo.java:763) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.CycloneDxAggregateMojo.execute (CycloneDxAggregateMojo.java:124) build 02-Apr-2021 09:31:40 at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) build 02-Apr-2021 09:31:40 at java.lang.reflect.Method.invoke (Method.java:567) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) build 02-Apr-2021 09:31:40 [ERROR] Error: build 02-Apr-2021 09:31:40 java.lang.reflect.InvocationTargetException build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance (NativeConstructorAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance (DelegatingConstructorAccessorImpl.java:45) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstanceWithCaller (Constructor.java:500) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstance (Constructor.java:481) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidatorTypeCode.newValidator (ValidatorTypeCode.java:131) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonMetaSchema.newValidator (JsonMetaSchema.java:351) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidationContext.newValidator (ValidationContext.java:54) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.read (JsonSchema.java:206) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.getValidators (JsonSchema.java:356) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:227) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.BaseJsonValidator.validate (BaseJsonValidator.java:96) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:234) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:219) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:124) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.isValid (JsonParser.java:267) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.createBom (BaseCycloneDxMojo.java:798) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.execute (BaseCycloneDxMojo.java:763) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.CycloneDxAggregateMojo.execute (CycloneDxAggregateMojo.java:124) build 02-Apr-2021 09:31:40 at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) build 02-Apr-2021 09:31:40 at java.lang.reflect.Method.invoke (Method.java:567) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) build 02-Apr-2021 09:31:40 Caused by: com.networknt.schema.JsonSchemaException: java.net.ConnectException: Operation timed out build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaFactory.getSchema (JsonSchemaFactory.java:361) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.getRefSchema (RefValidator.java:83) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.<init> (RefValidator.java:46) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance (NativeConstructorAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance (DelegatingConstructorAccessorImpl.java:45) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstanceWithCaller (Constructor.java:500) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstance (Constructor.java:481) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidatorTypeCode.newValidator (ValidatorTypeCode.java:131) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonMetaSchema.newValidator (JsonMetaSchema.java:351) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidationContext.newValidator (ValidationContext.java:54) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.read (JsonSchema.java:206) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.getValidators (JsonSchema.java:356) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:227) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.BaseJsonValidator.validate (BaseJsonValidator.java:96) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:234) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:219) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:124) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.isValid (JsonParser.java:267) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.createBom (BaseCycloneDxMojo.java:798) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.execute (BaseCycloneDxMojo.java:763) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.CycloneDxAggregateMojo.execute (CycloneDxAggregateMojo.java:124) build 02-Apr-2021 09:31:40 at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) build 02-Apr-2021 09:31:40 at java.lang.reflect.Method.invoke (Method.java:567) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) build 02-Apr-2021 09:31:40 Caused by: java.net.ConnectException: Operation timed out build 02-Apr-2021 09:31:40 at sun.nio.ch.Net.connect0 (Native Method) build 02-Apr-2021 09:31:40 at sun.nio.ch.Net.connect (Net.java:493) build 02-Apr-2021 09:31:40 at sun.nio.ch.Net.connect (Net.java:482) build 02-Apr-2021 09:31:40 at sun.nio.ch.NioSocketImpl.connect (NioSocketImpl.java:588) build 02-Apr-2021 09:31:40 at java.net.Socket.connect (Socket.java:585) build 02-Apr-2021 09:31:40 at java.net.Socket.connect (Socket.java:534) build 02-Apr-2021 09:31:40 at sun.net.NetworkClient.doConnect (NetworkClient.java:182) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.openServer (HttpClient.java:474) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.openServer (HttpClient.java:569) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.<init> (HttpClient.java:242) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.New (HttpClient.java:341) build 02-Apr-2021 09:31:40 at sun.net.www.http.HttpClient.New (HttpClient.java:362) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient (HttpURLConnection.java:1248) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.plainConnect0 (HttpURLConnection.java:1187) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.plainConnect (HttpURLConnection.java:1081) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.connect (HttpURLConnection.java:1015) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1587) build 02-Apr-2021 09:31:40 at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1515) build 02-Apr-2021 09:31:40 at com.networknt.schema.uri.URLFetcher.openConnectionCheckRedirects (URLFetcher.java:57) build 02-Apr-2021 09:31:40 at com.networknt.schema.uri.URLFetcher.fetch (URLFetcher.java:43) build 02-Apr-2021 09:31:40 at com.networknt.schema.uri.URISchemeFetcher.fetch (URISchemeFetcher.java:50) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaFactory.getSchema (JsonSchemaFactory.java:337) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.getRefSchema (RefValidator.java:83) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.<init> (RefValidator.java:46) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance (NativeConstructorAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance (DelegatingConstructorAccessorImpl.java:45) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstanceWithCaller (Constructor.java:500) build 02-Apr-2021 09:31:40 at java.lang.reflect.Constructor.newInstance (Constructor.java:481) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidatorTypeCode.newValidator (ValidatorTypeCode.java:131) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonMetaSchema.newValidator (JsonMetaSchema.java:351) build 02-Apr-2021 09:31:40 at com.networknt.schema.ValidationContext.newValidator (ValidationContext.java:54) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.read (JsonSchema.java:206) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.getValidators (JsonSchema.java:356) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:227) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchemaRef.validate (JsonSchemaRef.java:49) build 02-Apr-2021 09:31:40 at com.networknt.schema.RefValidator.validate (RefValidator.java:138) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.doValidate (ItemsValidator.java:93) build 02-Apr-2021 09:31:40 at com.networknt.schema.ItemsValidator.validate (ItemsValidator.java:80) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.PropertiesValidator.validate (PropertiesValidator.java:70) build 02-Apr-2021 09:31:40 at com.networknt.schema.JsonSchema.validate (JsonSchema.java:229) build 02-Apr-2021 09:31:40 at com.networknt.schema.BaseJsonValidator.validate (BaseJsonValidator.java:96) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:234) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:219) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.validate (JsonParser.java:124) build 02-Apr-2021 09:31:40 at org.cyclonedx.parsers.JsonParser.isValid (JsonParser.java:267) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.createBom (BaseCycloneDxMojo.java:798) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.BaseCycloneDxMojo.execute (BaseCycloneDxMojo.java:763) build 02-Apr-2021 09:31:40 at org.cyclonedx.maven.CycloneDxAggregateMojo.execute (CycloneDxAggregateMojo.java:124) build 02-Apr-2021 09:31:40 at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) build 02-Apr-2021 09:31:40 at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) build 02-Apr-2021 09:31:40 at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) build 02-Apr-2021 09:31:40 at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) build 02-Apr-2021 09:31:40 at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) build 02-Apr-2021 09:31:40 at java.lang.reflect.Method.invoke (Method.java:567) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) build 02-Apr-2021 09:31:40 at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

Hello Team,

How can i use cyclonedx to get the SBOM without adding to as part of POM.xml ?

A work colleague created an application that generates a BOM using this library.

I have created a Spring Boot application where I need to read that BOM and do something.

I am having issues reading the licenses nodes.

The generation of the licenses node is as below:

"licenses": {
  "licenses": [
    {
      "id": "Apache 2.0"
    }
  ]
}, // ...

But the only way I can make it work is:

"licenses": [
  {
    "id": "Apache 2.0"
  }
], // ...

Is this an expected behavior?

When a BOM uses a license expression instead of identifying individual licenses org.cyclonedx.util.LicenseDeserializer throws a JsonProcessingException which effectively stops the parsing of the BOM.

NOTE: This bug only effects JSON BOM's it appears that the XML Parser correctly handles the condition.

How to reproduce
Attempt to parse a BOM with a component where the license is defined with an expression.

    {
      "type": "library",
      "bom-ref": "pkg:maven/org.glassfish.hk2/[email protected]?type=jar",
      "publisher": "GlassFish Community",
      "group": "org.glassfish.hk2",
      "name": "osgi-resource-locator",
      "version": "1.0.1",
      "licenses": [{"expression": "(CDDL-1.0 OR GPL-2.0-with-classpath-exception)"}]
    }

Root Cause
The LicenseDeserializer class is attempting to convert the licenses block into an array of License objects which it then stores into a new LicenseChoice object. Since the given block doesn't match a license entity a JsonProcessingException is thrown.

What should happen
When LicenseDeserializer throws a JsonProcessingException attempt to read deserialize the value into a new LicenseChoice object. If the JsonProcessingException occurred because the licenses section is similar to above it will deserialize into the LicenseChoice object. If the block is malformed this attempt to deserialize will only cause a JsonProcessingException so current failure logic will still apply.

Similar to the ExtensibleElement abstract base class, it might make sense to introduce an ExternalReference interface, so functions that add external references to class instances could operate on that interface instead of having function overloads for all classes that may contain external references. What do you think @stevespringett?

In BomParserFactory there is following line ~37:
final byte[] bytes = IOUtils.toByteArray(new FileInputStream(file), 1);

The FileInputStream is not closed, thus the file handle stays open. Maybe enclosing it in a try-resource would be better.

While XML serialization works, for JSON I get

Collection should be empty but contained [org.cyclonedx.exception.ParseException: $.components[0].licenses[0].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.content: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[2].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[2].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[3].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[3].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[4].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[4].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[0].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[1].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[1].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[1].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[0].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[2].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[1].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[2].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[3].licenses[0].license.text.encoding: null found, string expected, ...] and 3 more
java.lang.AssertionError: Collection should be empty but contained [org.cyclonedx.exception.ParseException: $.components[0].licenses[0].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.content: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[2].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[2].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[3].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[3].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[4].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[4].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[0].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[1].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[1].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[1].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[0].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[2].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[1].license.text.encoding: null found, string expected, org.cyclonedx.exception.ParseException: $.components[2].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[3].licenses[0].license.text.encoding: null found, string expected, ...] and 3 more

I was expecting to be able to work around the issue by explicitly settting the encoding on the AttachmentText object to "UTF8", but then I got

Collection should be empty but contained [org.cyclonedx.exception.ParseException: $.components[0].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.content: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[2].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[3].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[4].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[3].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[4].licenses[0].license.text.encoding: does not have a value in the enumeration [base64]]
java.lang.AssertionError: Collection should be empty but contained [org.cyclonedx.exception.ParseException: $.components[0].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[1].license.text.content: null found, string expected, org.cyclonedx.exception.ParseException: $.components[0].licenses[2].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[3].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[0].licenses[4].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[1].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[2].licenses[1].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[3].licenses[0].license.text.encoding: does not have a value in the enumeration [base64], org.cyclonedx.exception.ParseException: $.components[4].licenses[0].license.text.encoding: does not have a value in the enumeration [base64]]

So this apparently is not about the usual platform-specific text encoding, but optional "transmission encoding" of the license text. As I do not want "base64", and setting the encoding to "" (empty string) also does not work, I'm out of ideas for work-arounds.

In the 1.x stream, there are updated json libraries with new coords since Oracle passed JEE over to Eclipse/Jakarta.

        <dependency>
            <groupId>jakarta.json</groupId>
            <artifactId>jakarta.json-api</artifactId>
            <version>1.1.6</version>
        </dependency>

        <dependency>
            <groupId>org.glassfish</groupId>
            <artifactId>jakarta.json</artifactId>
            <version>1.1.6</version>
        </dependency>

Some projects don't declare their license conform to the SPDX standard. So CycloneDX can't determine which license the project is using, this result in additional efforts for manual auditing. Because of this, i need more license mappings. I will provide a PR for this.

Need some aliases for

• Apache-2.0
• BSD-2-Clause
• BSD-3-Clause
• CC0-1.0
• GPL-2.0-with-classpath-exception
• LGPL-2.1-only

Please see #213 for details.

Validating CycloneDX SBOMs in an offline environment fails.

com.networknt.schema.JsonSchemaException: java.net.UnknownHostException: cyclonedx.org
        at com.networknt.schema.JsonSchemaFactory.getSchema(JsonSchemaFactory.java:361)
        at com.networknt.schema.RefValidator.getRefSchema(RefValidator.java:83)
        at com.networknt.schema.RefValidator.<init>(RefValidator.java:46)
        at jdk.internal.reflect.GeneratedConstructorAccessor8.newInstance(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
        at com.networknt.schema.ValidatorTypeCode.newValidator(ValidatorTypeCode.java:131)
        at com.networknt.schema.JsonMetaSchema.newValidator(JsonMetaSchema.java:351)
        at com.networknt.schema.ValidationContext.newValidator(ValidationContext.java:54)
        at com.networknt.schema.JsonSchema.read(JsonSchema.java:206)
        at com.networknt.schema.JsonSchema.getValidators(JsonSchema.java:356)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:227)
        at com.networknt.schema.PropertiesValidator.validate(PropertiesValidator.java:70)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.JsonSchemaRef.validate(JsonSchemaRef.java:49)
        at com.networknt.schema.RefValidator.validate(RefValidator.java:138)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.PropertiesValidator.validate(PropertiesValidator.java:70)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.ItemsValidator.doValidate(ItemsValidator.java:93)
        at com.networknt.schema.ItemsValidator.validate(ItemsValidator.java:80)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.PropertiesValidator.validate(PropertiesValidator.java:70)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.JsonSchemaRef.validate(JsonSchemaRef.java:49)
        at com.networknt.schema.RefValidator.validate(RefValidator.java:138)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.ItemsValidator.doValidate(ItemsValidator.java:93)
        at com.networknt.schema.ItemsValidator.validate(ItemsValidator.java:80)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.PropertiesValidator.validate(PropertiesValidator.java:70)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.PropertiesValidator.validate(PropertiesValidator.java:70)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.JsonSchemaRef.validate(JsonSchemaRef.java:49)
        at com.networknt.schema.RefValidator.validate(RefValidator.java:138)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.ItemsValidator.doValidate(ItemsValidator.java:93)
        at com.networknt.schema.ItemsValidator.validate(ItemsValidator.java:80)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.PropertiesValidator.validate(PropertiesValidator.java:70)
        at com.networknt.schema.JsonSchema.validate(JsonSchema.java:229)
        at com.networknt.schema.BaseJsonValidator.validate(BaseJsonValidator.java:96)
        at org.cyclonedx.parsers.JsonParser.validate(JsonParser.java:234)
        at org.cyclonedx.parsers.JsonParser.validate(JsonParser.java:219)
        at org.cyclonedx.parsers.JsonParser.validate(JsonParser.java:124)
        at org.cyclonedx.parsers.JsonParser.isValid(JsonParser.java:267)
        at org.cyclonedx.BomJsonGeneratorTest.schema12GenerationTest(BomJsonGeneratorTest.java:46)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
        at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
        at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
        at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
        at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
        at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
        at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
        at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
        at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
        at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
        at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
        at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
        at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
        at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
        at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
        at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
        at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
        at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
        at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
Caused by: java.net.UnknownHostException: cyclonedx.org
        at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:220)
        at java.base/java.net.Socket.connect(Socket.java:609)
        at java.base/java.net.Socket.connect(Socket.java:558)
        at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:182)
        at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:474)
        at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:569)
        at java.base/sun.net.www.http.HttpClient.<init>(HttpClient.java:242)
        at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:341)
        at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:362)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1253)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1187)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1015)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
        at com.networknt.schema.uri.URLFetcher.openConnectionCheckRedirects(URLFetcher.java:57)
        at com.networknt.schema.uri.URLFetcher.fetch(URLFetcher.java:43)
        at com.networknt.schema.uri.URISchemeFetcher.fetch(URISchemeFetcher.java:50)
        at com.networknt.schema.JsonSchemaFactory.getSchema(JsonSchemaFactory.java:337)
        ... 81 more

For me it would be very helpful if this library had an additional export format in a Lightweight markup language besides json and xml. E.g. Markdown or AsciiDoc. This would make it easy to include in readme, changelog files etc.

When we make the sbom with the code below,
BomXmlGenerator generator = BomGeneratorFactory.createXml(CycloneDxSchema.Version.VERSION_13, cycloneDxSbom);

<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:7ea0b192-1dcd-4f95-b2f3-0aa7a0d9e17a" version="1" xmlns="http://cyclonedx.org/schema/bom/1.3">
  <metadata>
    <timestamp>2021-08-25T03:59:43Z</timestamp>
    <tools>
      <tool>
        <vendor>testComp</vendor>
        <name>testTool</name>
        <version>v2.0.0-alpha</version>
      </tool>
    </tools>
    <authors>
      <author>
        <name>Tester</name>
        <email>[email protected]</email>
        <phone>+00-0000-0000</phone>
      </author>
    </authors>
    <component type="application" bom-ref="root">
      <name>test</name>
    </component>
  </metadata>
  <components/>
</bom>

BomJsonGenerator generator = BomGeneratorFactory.createJson(CycloneDxSchema.Version.VERSION_13, cycloneDxSbom);

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.3",
  "serialNumber" : "urn:uuid:adaa70fa-b97d-4bcb-a1d4-62437df7c490",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2021-08-25T02:27:04Z",
    "tools" : [
      {
        "vendor" : "testComp",
        "name" : "testTool",
        "version" : "v2.0.0-alpha"
      }
    ],
    "authors" : [
      {
        "name" : "tester",
        "email" : "[email protected]",
        "phone" : "+00-000-0000"
      }
    ],
    "component" : {
      "name" : "test",
      "type" : "application",
      "bom-ref" : "root"
    }
  },
  "components" : [ ],
  "dependencies"
}

1. json file is invalid because of "dependencies".
2. Even if we make something with components and dependencies, it is created invalid because of "vulnerabilities".
3. Please check.

Refactor tests so that parsing to Bom objects and all validation leverages test files from specification repo

The move to Jackson in #69 broke support for descendants and variants in a components pedigree.

The code as of today specifies:

@JacksonXmlElementWrapper(localName = "ancestors")
@JacksonXmlProperty(localName = "component")
public List<Component> getAncestors() {
    return ancestors;
}

However, when adding the following to

@JacksonXmlElementWrapper(localName = "descendants")
@JacksonXmlProperty(localName = "component")
public List<Component> getDescendants() {
    return descendants;
}

breaks with the following exception:
org.cyclonedx.exception.ParseException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Conflicting getter definitions for property "component": org.cyclonedx.model.Pedigree#getAncestors() vs org.cyclonedx.model.Pedigree#getDescendants()

Jackson was removed previously in 92f9251 due to this issue. A workaround will need to be implemented, even if it relies on an alternative framework.

See also: FasterXML/jackson-dataformat-xml#192

Hello,

What are the steps to create Java SBOM ? . I have a java based zip folder to create SBOM out of it.
Can you share the steps to create SBOM

Regards,
Vasavi

When using the cyclonedx-gradle-plugin version 1.2.0 build produces this error:

> Could not resolve all artifacts for configuration ':classpath'.
   > Could not find com.github.everit-org.json-schema:org.everit.json.schema:1.12.1.
     Searched in the following locations:
       - file:/C:/Users/lislei/.m2/repository/com/github/everit-org/json-schema/org.everit.json.schema/1.12.1/org.everit.json.schema-1.12.1.pom
       - https://nexus.statkart.no/repository/public/com/github/everit-org/json-schema/org.everit.json.schema/1.12.1/org.everit.json.schema-1.12.1.pom
     Required by:
         project : > org.cyclonedx:cyclonedx-gradle-plugin:1.2.0 > org.cyclonedx:cyclonedx-core-java:3.0.5

The problem is that a dependency is not publishet in maven-central.

The easiest solution would be to have the dependency published to maven central.
If not, is it feasable to choose a different implementation for json parsing?

Background

On debian & ubuntu systems the dpkg copyright files are (in modern times, thank goodness) intended to be machine readable according to this spec. The CycloneDX linux generator on Ubuntu faithfully replicates the text of the copyright file into components/[]/licenses/[]/license/text/content as one might expect.

According to the JSON AbstractBomGenerator.java line 68 it would appear ALL STRINGS, when serialized to JSON, are serialized with TrimStringSerialize which not only trims whitespace but removes it similar to how an HTML processor might.

The XML AbstractBomXmlGenerator.java does not remove whitespace, which would seem to be the correct behavior.

Bug

1. I would argue that not all strings in BOMs should have their whitespace remove & coalesced when converted to JSON. Copyright and license file text in particular is a good example where replicating the original is probably best.
2. I think the JSON & XML formats of the same BOM should contain identical data, this includes text/strings and their whitespace.

History

• @stevespringett implemented TrimStringSerializer in 0fab7fb#diff-9f5ef24a21ed10eaae782875e4efc0cd90cec8b7f598bee89d096f50431db5cc.
• That was in turn a cleanup of his earlier work in 2e5ace4#diff-1ba2a4fedacc21e8c4b7d22713a15269ac6f187cd10332015d28de1c341e0465.

Without test cases to accompany either of those changes, it's hard for me to understand why they were made. The history of July 9th 2020 doesn't show PRs or groups of commits that seem to help me understand either. The problem is that this behavior was obviously desired, but I'm not clear why or how it would be helpful.

Potential Solutions

1. I can use the XML formatted output (at least for now), which does not appear to mangle the structure of the dpkg copyright files when converting them to license text.
2. I'd be happy to submit a PR with appropriate fixes, but I'm really hoping @stevespringett might somehow remember the reason behind this before I go writing code that could break something important as per my note above about at least some part of this being desired behavior.

Personal Note

This is my first comment to this project, and I look forward to working with you if possible. I have both personal and professional interest in this area, and I hope to both integrate with and contribute to CycloneDX.

When generating the BOM with transitive dependencies

e.g.: application > library1 > library1.1

the block of library1 does not include library1.1

Expected output:

Add support for Blake3 to BomUtils.

Requires commons-codec 1.16 (not currently released)

As a new user, I wonder why Bom.java has schemaVersion which

1. never seems to be read, and
2. the schemaVersion seems to be handled as part of the BomGenerator instead.

Moreover, the schemaVersion in Bom.java is a String instead of a CycloneDxSchema.Version. Can't schemaVersion simply be removed from Bom.java?

I have a java jar /zip project, I want to generate a BOM with Java API instead of maven plugin, what should I do?

I have the use case, that I need the license text in my bom.xml (see Bom 1.1 Schema).
Sadly it seems, that there is no logic, which buts it in the Document.

Thats the code which generates the license node:

Is this a bug?

Current approach to JSON Dependency serialization outputs an invalid CycloneDX bom across all JSON version specifications

Existing output:

    "dependencies": [
        "pkg:npm/acme/[email protected]",
        "pkg:npm/acme/[email protected]"
    ]

Valid output as per specification:

  "dependencies": [
    {
      "ref": "pkg:npm/acme/[email protected]",
      "dependsOn": [
        "pkg:npm/acme/[email protected]"
      ]
    },
    {
      "ref": "pkg:npm/acme/[email protected]",
      "dependsOn": [
        "pkg:npm/acme/[email protected]",
        "pkg:npm/acme/[email protected]",
        "pkg:npm/acme/[email protected]"
      ]
    }
  ]

I already have a PR ready with a fix I tested locally.

Jackson annotation should be:

    @JacksonXmlProperty(isAttribute = true, localName = "mime-type")

Looking at the copyright header on the PropertyDeserializer:

/*
 * Copyright (c) 2018,2019, 2020, 2021 Lockheed Martin Corporation.
 *
 * This work is owned by Lockheed Martin Corporation. Lockheed Martin personnel are permitted to use and
 * modify this software.  Lockheed Martin personnel may also deliver this source code to any US Government
 * customer Agency under a "US Government Purpose Rights" license.
 *
 * See the LICENSE file distributed with this work for licensing and distribution terms
 */

The code in that file is owned by Lockheed Martin and that only their personnel are permitted to use and modify that file. Was this intentional or did the author (@wrgoff) accidentally have this copyright statement set in their IDE?

The spec seems to allow setting "undeclared elements" on license tags. It would be great if the License API would actually support that.

Background: We want to set additional meta-data on licenses, e.g. about whether it was a declared license or a detected license (also see this discussion). If the Cyclone DX spec already allows to set additional elements in order to cover that use case, we just need API exposure of that feature. However, if the "undeclared elements" feature can not be used to cover this use-case, we probably need to think about extended both spec and API to allow e.g. a type attribute on the license tag as proposed in the linked post. Another possible name for a new attribute would be origin, so we could have something like <license origin="meta-data"> (for declared licenses) and <license origin="license-scanner"> (for detected licenses).

In ORT, we're using extensibleTypes to record the "origin" of a license or the "type" of a dependency. While serializing such a BOM to XML works fine, serializing the same BOM to JSON fails with:

com.fasterxml.jackson.databind.JsonMappingException:
class com.fasterxml.jackson.core.json.WriterBasedJsonGenerator cannot be cast to class com.fasterxml.jackson.dataformat.xml.ser.ToXmlGenerator (com.fasterxml.jackson.core.json.WriterBasedJsonGenerator and com.fasterxml.jackson.dataformat.xml.ser.ToXmlGenerator are in unnamed module of loader 'app')
(through reference chain: org.cyclonedx.model.Bom["components"]->java.util.ArrayList[0]->org.cyclonedx.model.Component["licenses"]->org.cyclonedx.model.License["extensibleTypes"])

From a quick glance, it seems to me that extensibleTypes serialization currently is XML-specific. If that's the case, is there a chance to get JSON support for extensibleTypes?

Hello Team,

What tool can I use to generate SBOM for Java applications built with Ant? There does not appear to be a specific plugin for Ant (only Maven and Gradle) and the CLI tool does not actually generate library components and scan the jars to determine the version/license.

Thanks.

I added an extensible type to a component. Code wise it looks good. I see the extensible type. XML wise looks a little wierd.

<component>
      .....
     </externalReferences>
     <packageManager unixPackageManager="apt"/>
</component>

I would have expected it to be

<component>
     .....
     </externalReferences>
     <extensibleTypes>
          <extensibleType>
               <attributes>
                    <attribute>
                         <packageManager unixPackageManager="apt"/>
                    </attribute>
               </attributes>
         </extensibleType>
     </extensibleTypes>
</component>

And when attempting to read back in the bom.xml file, sure enough the extensible type is no where to be found.

the Dependency class currently contains a dependencies field which is typed as a List<Dependency>, which implies that dependencies can be nested. This is incorrect based on both the current specification and the JSON schema, which has "dependsOn" as a list of bom-refs. This can lead to developers believing dependencies can be nested, and producing invalid BOMs as a result.

To double check this, I also compared this with the JavaScript which does implement the dependencies list as a string.

I'm in the process of writing a CycloneDX BOM reporter for ORT and I'm facing a validation issue for license ids that are SPDX LicenseRefs. If a license's id is something like "LicenseRef-scancode-mit-taylor-variant" I get:

Collection should be empty but contained [org.xml.sax.SAXParseException; systemId: file:/tmp/tmp7460662245339740355.tmp; lineNumber: 333; columnNumber: 68; cvc-enumeration-valid: Value 'LicenseRef-scancode-mit-taylor-variant' is not facet-valid with respect to enumeration '[0BSD, AAL, ADSL, ...]'

To me, the spec is a bit unclear whether this is intended behavior or not. I was assuming id could be either a "core" SPDX license id or a LicenseRef, and only if it is neither use name instead. However, it seems that id must only be "core" SPDX licnese ids, and anything else goes to name.

Could you please clarify on the intended behavior?

I just noticed that a component's description is not escaped before writing the XML. I'd assume this is something the library should do, as the caller in theory does not know to which format the data will be serialized, and thus can't know about the required escaping, if any.

This was originally reported at oss-review-toolkit/ort#2814.