Validation fails for <publisher> tag inside <component>

[schlenk]

I tried to validate a SBOM with a component containing a publisher entry. This should be valid, according to: https://cyclonedx.org/docs/1.4/xml/#type_component

<?xml version='1.0'?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
  <metadata>
    <component type="library" bom-ref="8cde4067-b70a-4723-8af4-6e51ddfe2ec6">
        <name>example.app</name>
        <publisher>Example Publisher</publisher>
        <version>15.5</version>
    </component>
  </metadata>
  <components>
  </components>
</bom>

But running it through cyclonedx-cli validate complains about the tag. Removing the tag allows successful validation.

c:\>cyclonedx-cli validate --input-format xml --fail-on-errors --input-version=v1_4 < publisher.cdx.xml
Validating XML BOM...
Validation failed at line number 6 and position 10: The element 'component' in namespace 'http://cyclonedx.org/schema/bom/1.4' has invalid child element 'publisher' in namespace 'http://cyclonedx.org/schema/bom/1.4'. List of possible elements expected: 'version, description, scope, hashes, licenses, copyright, cpe, purl, swid, modified, pedigree, externalReferences, properties, components, evidence, releaseNotes' in namespace 'http://cyclonedx.org/schema/bom/1.4' as well as any element in namespace '##other'.
BOM is not valid.

Edit: This was with the latest released binary version. I assume updating to a newer version with up to date .NET cyclonedx library would fix it, as the schema contains publisher there since 5.2.0. But the 0.24 binary was built with 5.1.1.

[schlenk]

Still broken with cyclonedx-cli 0.24.2 binary.

[andreas-hilti]

@schlenk According to the specification https://cyclonedx.org/docs/1.4/xml/#type_component publisher needs to be in front of the name. If I swap these two, I'm able to validate the BOM successfully.

[schlenk]

Ok, you are right, seems the tool creating the file messed up.