Add CycloneDx v1.2 JSON

[sparrell]

CycloneDx v1.2 supports JSON output. Could you add CycloneDx-JSON as an output format?

[sei-vsarvepalli]

Hello Duncan,

Hit a road block with this. I may need to reach to Steve for this, if you have his Github account please add him as a participant so we can hopefully track the progress here.

When I tried to validate one of the sample BOM https://cyclonedx.org/use-cases/#dependency-graph using the JSON schema in http://cyclonedx.org/schema/bom-1.2.schema.json I get the following error below. I need to make sure I have the right JSON schema to validate the backend output against. Somewhere the dependsOn structure is not consistent with the JSON format perhaps.

jsonschema.exceptions.SchemaError: [{u'ref': u'acme-app', u'dependsOn': [u'pkg:maven/org.acme/web-framework@1.0.0', u'pkg:maven/org.acme/persistence@3.1.0']}, {u'ref': u'pkg:maven/org.acme/web-framework@1.0.0', u'dependsOn': [u'pkg:maven/org.acme/common-util@3.0.0']}, {u'ref': u'pkg:maven/org.acme/persistence@3.1.0', u'dependsOn': [u'pkg:maven/org.acme/common-util@3.0.0']}, {u'ref': u'pkg:maven/org.acme/common-util@3.0.0', u'dependsOn': []}] is not of type u'object'

Failed validating u'type' in schema[u'properties'][u'dependencies']:
    {u'additionalProperties': {u'anyOf': [{u'$ref': u'#'},
                                          {u'$ref': u'#/definitions/stringArray'}]},
     u'type': u'object'}

On instance[u'dependencies']:
    [{u'dependsOn': [u'pkg:maven/org.acme/web-framework@1.0.0',
                     u'pkg:maven/org.acme/persistence@3.1.0'],
      u'ref': u'acme-app'},
     {u'dependsOn': [u'pkg:maven/org.acme/common-util@3.0.0'],
      u'ref': u'pkg:maven/org.acme/web-framework@1.0.0'},
     {u'dependsOn': [u'pkg:maven/org.acme/common-util@3.0.0'],
      u'ref': u'pkg:maven/org.acme/persistence@3.1.0'},
     {u'dependsOn': [], u'ref': u'pkg:maven/org.acme/common-util@3.0.0'}]

My current samples for both JSON schema and payload can be downloaded from democrat site too https://democert.org/sbom/sample-cylconedx-dependencies.json https://democert.org/sbom/bom-1.2.schema.json

Thanks Vijay

[sparrell]

@sei-vsarvepalli VIjay, Steve's github is @stevespringett but he isn't on this repo so I'm not sure this will alert him.

[stevespringett]

@sei-vsarvepalli The sample you have is perfectly valid. Confirmed it.

Keep in mind that the CycloneDX base schemas (both XML and JSON) both reference an external SPDX schema for license ID validation. If you're validating against a local copy of the JSON or XML schema, you'll also need to pull down the corresponding SPDX schema as well.

As noted in the docs, the SPDX schema files are updated independently of CycloneDX itself, so as new SPDX license IDs are added over time, CycloneDX will be able to take advantage of them without having to release new versions of the spec. Generally speaking, every time SPDX releases an updated license list, the CycloneDX team updates their corresponding license list without about a week.

See https://github.com/CycloneDX/specification/tree/master/schema

[sei-vsarvepalli]

Thanks Steven,

I don't see any licenses in the sample anyway, so a bit confused about how to validate properly. If you have suggestions for validating the JSON before providing an output in JSON format I could use that. I was using the jsonschema.validator Python library.

Thanks Vijay

[stevespringett]

Whenever a schema references another schema, all schemas need to be resolved before validation can be performed. Otherwise validation will fail even for perfectly valid payloads - which is what's happening in this case. This is true for any schema, not just CycloneDX.

For JSON Schema, the CycloneDX SPDX schema is implemented as a reference. See https://github.com/CycloneDX/specification/blob/master/schema/bom-1.2.schema.json#L573

The Python library you're using handles references. See https://python-jsonschema.readthedocs.io/en/stable/references/

So I think it's possible to properly validate using the chosen library.

[sei-vsarvepalli]

This should be working now at https://democert.org/sbom/ - please test it out to confirm. The Graph download is enabled now for downloading current info graph as a PNG file. Graph download does NOT work in Safari browser.

Duncan - please test it out and let me know and I can then close the issue.

Steve - if you get a chance, run "Load Example" and under CycloneDX select JSON and let me know if you are also able to validate it.

Thanks Vijay

[stevespringett]

The tool is generating invalid CycloneDX XML and JSON documents.

XML validation errors:

Element 'supplier' cannot have character [children], because the type's content type is element-only.
Element 'supplier' cannot have character [children], because the type's content type is element-only.
Element 'supplier' cannot have character [children], because the type's content type is element-only.
Element 'supplier' cannot have character [children], because the type's content type is element-only.
Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.
Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.
Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.
Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.

JSON validation errors:

Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.
Element 'supplier' cannot have character [children], because the type's content type is element-only.
Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.
Element 'supplier' cannot have character [children], because the type's content type is element-only.
Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.
Element 'supplier' cannot have character [children], because the type's content type is element-only.
Invalid content was found starting with element '{"http://cyclonedx.org/schema/bom/1.2":description}'. One of '{"http://cyclonedx.org/schema/bom/1.2":supplier, "http://cyclonedx.org/schema/bom/1.2":author, "http://cyclonedx.org/schema/bom/1.2":publisher, "http://cyclonedx.org/schema/bom/1.2":group, "http://cyclonedx.org/schema/bom/1.2":name}' is expected.
Element 'supplier' cannot have character [children], because the type's content type is element-only.

I personally use Oxygen XML to validate XML and JSON documents whenever I have a need to manually create/modify them or whenever I'm working on implementing a spec of some kind. There are many other general purpose XML and JSON tools that can do the same.

Also:

• Is there a reason why the generated PURLs are invalid?
• Is there a reason why PURL and CPE are not individual fields (SPDX and CycloneDX both support them)?
• The dependency graph generated misses the first-level (direct) dependencies on the primary app.
• The button says 'Generate SPDX/SWID'. I'd recommend changing it to include CycloneDX or relabel it as 'Generate SBOM'

[sei-vsarvepalli]

Steve,

Thanks - I am looking into this. Probably the programatic clone of elements to CycloneDX is broken. Let me try your approach and fix the issues.

Thanks

[sei-vsarvepalli]

Hello Steve,

The XML validates okay now with slight modifications. Can you please verify?

I have verified with my xmlschema tool but not 100% sure if it is loading the multiple child schema references. If you can also take a look at the JSON, which I am not able to validate with my library as the Resolver for additional schemas does not seem to really work.

Thanks for your help. Vijay

[stevespringett]

The XML validates.

The JSON still does not.

#/metadata/component/supplier: expected type: JSONObject, found: String

Also note that manufacture for components is not valid.

[sei-vsarvepalli]

Hello Steve,

Can you clarify that XML everything is okay. JSON at least two validation errors - (1) supplier NOT being object (2) manufacture format is wrong

If that assumption is correct, it should be fixed. I don't seem to be able to do JSON validation as draftvalidator7 with Reference seems to have some bug that I didn't have time to narrow it down.

Thanks Vijay

[stevespringett]

Good news. The tool is producing valid XML and JSON.

[sei-vsarvepalli]

Hi @stevespringett Thanks. I will close this ticket.

Vijay