andreas-hilti
commented
1 month ago @cbsMartin Can you please provide a sample BOM that fails validation? (All that the cli does internally is to validate the json file against the corresponding json schema; thus, I'm a bit surprised if this is indeed the case.) What kind of validation messages do you get? (In particular, there are also tests that validate for instance valid-machine-learning-1.6.json.)
The latest release of the CycloneDX CLI tool is unable to validate SBOMs conforming to CycloneDX format versions 1.5 and 1.6 that include the modelCard and data elements. These versions of the format introduce new features and structures, such as the modelCard and data elements, which are not being properly recognized or validated by the CLI tool. The validation fails even though the SBOM adheres to the CycloneDX specification
Link to the CycloneDX 1.5 modelCard Link to the CycloneDX 1.5 data Link to the CycloneDX 1.6 modelCard Link to the CycloneDX 1.6 data