https://github.com/CycloneDX/cyclonedx-web-tool/runs/7798800441?check_suite_focus=true

/usr/bin/docker buildx build --build-arg VERSION=0.5.2 --iidfile /tmp/docker-build-push-7FIqNW/iidfile --platform linux/amd64,linux/arm64 --secret id=GIT_AUTH_TOKEN,src=/tmp/docker-build-push-7FIqNW/tmp-2033-6VgNzt1hCUW3 --tag cyclonedx/cyclonedx-web-tool:0.5.2 --tag cyclonedx/cyclonedx-web-tool:latest --metadata-file /tmp/docker-build-push-7FIqNW/metadata-file --push https://github.com/CycloneDX/cyclonedx-web-tool.git#b3d0c028c7a82e69ad63d1dc459b5af63c12fe51
error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
Error: buildx failed with: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")

On validating a version 1.4 CycloneDX in the validator, it is being invalidated because of CPE tags...

According to the specs, CPE was deprecated in v1.3, but, v1.4 shall support CPEs; stilll the validator is invalidating

My current thinking is a visual hierarchical diff. A bit like diff tools that support a diff between two directories.
A really basic mock up using meld

But with actual values display rather than just "version" etc

Add a basic interface to be able to search, browse, and download BOMs from any CDX API compliant repo server.

Context

Windows 10

Cyclone versions:

NPM Version: @cyclonedx/[email protected] of CycloneDX for NPM
.NET Version: 2.7.0 of CycloneDX for .NET

IDEs

VS 2022
VS Code

npm version 9.2.0
node version 18.12.1

Actions

1. Generating NPM and .NET BOMs from the latest boilerplate project on https://aspnetboilerplate.com as is - unpack, restore packages and run the BOM generation as described below

// for the NPM BOM
cyclonedx-npm --output-format "JSON" --output-file "bom.json" 

// for the .NET BOM
dotnet-CycloneDX .\FMS.sln -o ./
dotnet-CycloneDX .\FMS.sln -o ./ -j

The generation is ok.

2. Validation
   To validate the generated BOMs I am using the hosted version : https://cyclonedx.github.io/cyclonedx-web-tool

The validation tools returns errors on both BOMs

Results

From both validations I get alert : The file is not a valid v1.4 BOM.

From the NPM BOM validation I get :
'<' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.

From the .NET BOMs in JSON validation I get:
"Validation failed: #/properties/components/items"

From the .NET BOMs in XML validation I get:
Validation failed at line number 373 and position 28: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'NOASSERTION' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed.

The resulting BOMs are attached.

BOMs.zip

Currently, v1.3 is the latest that can be validated. Support for v1.4 should be added.

I copied the example of https://cyclonedx.org/use-cases/#openchain-conformance in an XML and a JSON file (see "CycloneDX - OpenChain conformance.xml" and "CycloneDX - OpenChain conformance.json" in the ZIP file). I'm validated both and there are valid SBOM files.

If I convert the XML file with this tool to JSON then the file is valid but the second license ("LGPL-2.1-only") in evidence is missing (see "CycloneDX - OpenChain conformance - Converted.json" in the ZIP file).

If I convert the JSON file with this tool to XML then the file is an invalid SBOM file (see "CycloneDX - OpenChain conformance - Converted.xm"l in the ZIP file). I got the message "Validation failed at line number 24 and position 10: The element 'evidence' in namespace 'http://cyclonedx.org/schema/bom/1.5' has invalid child element 'licenses' in namespace 'http://cyclonedx.org/schema/bom/1.5'. List of possible elements expected: 'copyright' in namespace 'http://cyclonedx.org/schema/bom/1.5' as well as any element in namespace '##other'. "
CycloneDX - OpenChain conformance.zip

It seems like all SBOMs over 500kb cannot be verified.