search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
275 stars 59 forks source link

Converting json SBOM to xml produces invalid SBOM when there is a component with multiple licenses #360

Open Taha-cmd opened 3 months ago

Taha-cmd commented 3 months ago

I have an SBOM for a C# application generated by the dotnet cyclonedx tool. One the components has the following schema:

{
      "type": "library",
      "bom-ref": "pkg:nuget/CsvHelper@30.0.1",
      "author": "Josh Close",
      "name": "CsvHelper",
      "version": "30.0.1",
      "description": "A library for reading and writing CSV files. Extremely fast, flexible, and easy to use. Supports reading and writing of custom class objects.",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "F02DE9AB8F3A99B5B6D83ABC0E8EEBBD65563512C3610CBDF4F433202075C342FCFE58245C3AB7735E328433E80F0D6379DBFD5FC5392DF27FDAA15182A438DA"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MS-PL"
          }
        },
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "copyright": "Copyright © 2009-2022 Josh Close",
      "purl": "pkg:nuget/CsvHelper@30.0.1",
      "externalReferences": [
        {
          "url": "https://joshclose.github.io/CsvHelper/",
          "type": "website"
        },
        {
          "url": "https://github.com/JoshClose/CsvHelper",
          "type": "vcs"
        }
      ]
    }

When converting to SBOM to xml, the json component will be converted to:

    <component type="library" bom-ref="pkg:nuget/CsvHelper@30.0.1">
      <author>Josh Close</author>
      <name>CsvHelper</name>
      <version>30.0.1</version>
      <description>A library for reading and writing CSV files. Extremely fast, flexible, and easy to use. Supports reading and writing of custom class objects.</description>
      <scope>required</scope>
      <hashes>
        <hash alg="SHA-512">F02DE9AB8F3A99B5B6D83ABC0E8EEBBD65563512C3610CBDF4F433202075C342FCFE58245C3AB7735E328433E80F0D6379DBFD5FC5392DF27FDAA15182A438DA</hash>
      </hashes>
      <licenses>
        <license>
          <id>MS-PL</id>
        </license>
      </licenses>
      <licenses>
        <license>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <copyright>Copyright © 2009-2022 Josh Close</copyright>
      <purl>pkg:nuget/CsvHelper@30.0.1</purl>
      <externalReferences>
        <reference type="website">
          <url>https://joshclose.github.io/CsvHelper/</url>
        </reference>
        <reference type="vcs">
          <url>https://github.com/JoshClose/CsvHelper</url>
        </reference>
      </externalReferences>
    </component>

The xml component is invalid, because it contains a duplicated licenses node, instead of one licenses node with multiple license nodes inside it. The validate command points this out correctly: Validation failed at line number 362 and position 8: The element 'component' in namespace 'http://cyclonedx.org/schema/bom/1.5' has invalid child element 'licenses' in namespace 'http://cyclonedx.org/schema/bom/1.5'. List of possible elements expected: 'copyright, cpe, purl, swid, modified, pedigree, externalReferences, properties, components, evidence, releaseNotes, modelCard, data' in namespace 'http://cyclonedx.org/schema/bom/1.5' as well as any element in namespace '##other'.

andreas-hilti commented 1 month ago

Might be fixed once https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/218 is merged and picked up by the cli.

Taha-cmd commented 1 month ago

@andreas-hilti Thanks for the reference! The PR is open for more than a year without a reaction from the maintainers :(