search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
306 stars 60 forks source link

Providing a more helpful message #323

Open bsoroushian opened 1 year ago

bsoroushian commented 1 year ago

Tried to validate a sbom using cyclonedx-cli command:

cyclonedx validate --input-format json --input-file /tmp/scan-trivy.cdx --fail-on-errors --input-version v1_4

What I expected: Invalid sboms should result in a clear and specific error message. (for example something like what sbom-utility prints)

[ERROR] invalid SBOM: schema errors found (/tmp/scan-trivy.cdx):
(2) Schema errors detected (use `--debug` for more details):
    1. Type: [unique], Field: [dependencies.37.dependsOn], Description: [array items[0,1] must be unique]
    Failing object: [[
      "pkg:deb/debian/libc6@2.31-13+deb11u6?arch=amd64&distro=debian-11.7",
      "pkg:deb/debi ... (truncated)
    2. Type: [unique], Field: [dependencies.79.dependsOn], Description: [array items[0,1] must be unique]
    Failing object: [[
      "pkg:deb/debian/debconf@1.5.77?arch=all&distro=debian-11.7",
      "pkg:deb/debian/debcon ... (truncated)
[INFO] document `/tmp/scan-trivy.cdx`: valid=[false]
exit status 2

What happened: cyclonedx-cli output was not specific enough to identify the problem

Validating JSON BOM...
Validation failed:
#/properties/dependencies/items
BOM is not valid.
andreas-hilti commented 1 year ago

https://github.com/CycloneDX/cyclonedx-cli/pull/317 should help in this respect (even if it might not completely resolve it).