Open bsoroushian opened 1 year ago
Tried to validate a sbom using cyclonedx-cli command:
cyclonedx validate --input-format json --input-file /tmp/scan-trivy.cdx --fail-on-errors --input-version v1_4
What I expected: Invalid sboms should result in a clear and specific error message. (for example something like what sbom-utility prints)
[ERROR] invalid SBOM: schema errors found (/tmp/scan-trivy.cdx): (2) Schema errors detected (use `--debug` for more details): 1. Type: [unique], Field: [dependencies.37.dependsOn], Description: [array items[0,1] must be unique] Failing object: [[ "pkg:deb/debian/libc6@2.31-13+deb11u6?arch=amd64&distro=debian-11.7", "pkg:deb/debi ... (truncated) 2. Type: [unique], Field: [dependencies.79.dependsOn], Description: [array items[0,1] must be unique] Failing object: [[ "pkg:deb/debian/debconf@1.5.77?arch=all&distro=debian-11.7", "pkg:deb/debian/debcon ... (truncated) [INFO] document `/tmp/scan-trivy.cdx`: valid=[false] exit status 2
What happened: cyclonedx-cli output was not specific enough to identify the problem
Validating JSON BOM... Validation failed: #/properties/dependencies/items BOM is not valid.
https://github.com/CycloneDX/cyclonedx-cli/pull/317 should help in this respect (even if it might not completely resolve it).
Tried to validate a sbom using cyclonedx-cli command:
What I expected: Invalid sboms should result in a clear and specific error message. (for example something like what sbom-utility prints)
What happened: cyclonedx-cli output was not specific enough to identify the problem