Comments (8)
This is still valid metadata, the deprecated tool was not removed and from the spec examples
Right; what I was trying to say is: If you use the non-deprecated way and declare tools via
ToolInformation
, tool components get serialized directly undermetadata
(not nested undertools
as required by the spec) which does not pass schema validation, see e.g.{ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:1efc6fb4-5b37-4da9-80c9-75a38dec630e", "version": 1, "metadata": { "timestamp": "2023-10-05T05:56:55Z", "components": [ { "name": "OSS Review Toolkit", "version": "IDE-SNAPSHOT", "type": "application" } ], "licenses": [ { "expression": "CC0-1.0" } ] },
I found the issue, I hope to have a PR soon so it can be merged and have a new release for this, thank you
from cyclonedx-core-java.
I found the issue, I hope to have a PR soon so it can be merged and have a new release for this
I can confirm that release 8.0.1 fixed the issue, thanks. So I guess this issue can be closed @stevespringett?
from cyclonedx-core-java.
There are multiple PRs in progress to support 1.5.
from cyclonedx-core-java.
While writing spec 1.5 SBOMs was added for version 8.0.0 via #316, it seems that the serialized JSON (and XML) do not pass validation as I'm getting
Collection should be empty but contained org.cyclonedx.exception.ParseException: $.metadata.components: is not defined in the schema and the schema does not allow additional properties
for (Kotlin) code
val metadata = Metadata().apply {
timestamp = Date()
toolChoice = ToolInformation().apply {
components = listOf(
Component().apply {
type = Component.Type.APPLICATION
name = ORT_FULL_NAME
version = Environment.ORT_VERSION
}
)
}
licenseChoice = LicenseChoice().apply { expression = dataLicense }
}
from cyclonedx-core-java.
the serialized JSON (and XML) do not pass validation
@mr-zepol looks like this went unnoticed as the test data still uses the deprecated way to declare tools.
from cyclonedx-core-java.
the serialized JSON (and XML) do not pass validation
@mr-zepol looks like this went unnoticed as the test data still uses the deprecated way to declare tools.
This is still valid metadata, the deprecated tool was not removed and from the spec examples ( where those tests were created) they are still valid https://github.com/CycloneDX/specification/blob/master/tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.xml
from cyclonedx-core-java.
the test data still uses the deprecated way to declare tools
I will check this and will be back with more info, I am going to try to reproduce it, thanks
from cyclonedx-core-java.
This is still valid metadata, the deprecated tool was not removed and from the spec examples
Right; what I was trying to say is: If you use the non-deprecated way and declare tools via ToolInformation
, tool components get serialized directly under metadata
(not nested under tools
as required by the spec) which does not pass schema validation, see e.g.
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:1efc6fb4-5b37-4da9-80c9-75a38dec630e",
"version": 1,
"metadata": {
"timestamp": "2023-10-05T05:56:55Z",
"components": [
{
"name": "OSS Review Toolkit",
"version": "IDE-SNAPSHOT",
"type": "application"
}
],
"licenses": [
{
"expression": "CC0-1.0"
}
]
},
from cyclonedx-core-java.
Related Issues (20)
- Add support for some lightweight markup language HOT 1
- Generate Java SBOM steps HOT 2
- Should 'spe HOT 1
- Should `cpe` be "un-deprecated"? HOT 2
- Error in ExternalReferenceSerializer HOT 1
- Deserialization of SBOM defaults the metadata/timestamp HOT 1
- BomJsonGenerator of Signature JSON produces "null" properties
- externalReferences serialization not well formed
- [WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword HOT 9
- Confusing name of `LicenseChoice` class
- Vulnerability 1.0 Extension parsing bug HOT 1
- Incorrect (empty) tool entry may appear in SBOMs if project also uses a plugin which uses org.eclipse.jgit HOT 2
- validate method should read schema version from the file
- LicensesChoice returns only one license
- XML deserialization fails for `metadata>component>properties`
- XML deserialization fails when multiple legacy `Tool`s are provided
- XML deserialization fails when empty `hashes` collection is provided
- Missing CHANGELOG entries
- ParseException with ancestors in the metadata section (XML SBOM)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-core-java.