search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
305 stars 60 forks source link

Error validating CycloneDX format in version 1.6 #407

Open simonfrancaix opened 1 week ago

simonfrancaix commented 1 week ago

Hello,

I think there are various errors when validating a CycloneDX format in version 1.6.

Requirements:

$ trivy --version
Version: 0.56.1
[...]
$ cyclonedx-cli --version
0.27.1+6c0e6c8f45d446ed4a28891040592e4ae4a39c3c

Steps for reproduction:

$ trivy image --format cyclonedx --output /tmp/playwright.json mcr.microsoft.com/playwright/java:v1.47.0-noble-amd64
2024-10-14T14:53:21+02:00   INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-10-14T14:53:22+02:00   INFO    Detected OS family="ubuntu" version="24.04"
2024-10-14T14:53:22+02:00   INFO    Number of language-specific files   num=1
$ cyclonedx-cli validate --input-file /tmp/playwright.json
Validation failed:
Value is "object" but should be "array"
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1
On instance: /metadata/tools:
[...]
Unable to validate against any JSON schemas.
BOM is not valid.

Analysis

Value is "object" but should be "array"
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1
On instance: /metadata/tools:
{
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.56.1"
        }
      ]
    }

tools array is deprecated. Tools is object now - https://cyclonedx.org/docs/1.6/json/#tab-pane_metadata_tools_oneOf_i0

Required properties ["id"] are not present
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/0
On instance: /components/510/licenses/0/license:
{
            "name": "GPL-3.0"
          }

License can be id or name - https://cyclonedx.org/docs/1.6/json/#tab-pane_components_items_licenses_oneOf_i0_items_license_oneOf_i1

Value should have at most 1 items
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1
On instance: /components/313/licenses:
[
        {
          "license": {
            "name": "BSD-3-Clause"
          }
        },
        {
          "license": {
            "name": "ISC"
          }
        },
        {
          "license": {
            "name": "GPL-3.0"
          }
        }
      ]

Licenses is array - why should it be one item? https://cyclonedx.org/docs/1.6/json/#components_items_licenses

Thank you for your attention to this ticket.

andreas-hilti commented 1 day ago

@simonfrancaix When I ran it, I had two instances of empty licenses

        {
          "license": {}
        },

which violate the specification as id or name is required. If I remove these two, it validates successfully. However, what I don't understand why the validation produces so many misleading/wrong error messages.

andreas-hilti commented 1 day ago

It seems to report also the oneof cases against which it could not validate, even though another case succeeded, e.g. the case 1 for tools (legacy tools), it can't validate http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1 against it, but it can perfectly fine validate against the case 0 (the new tools). Similarly, it can't in most cases validate against the LicenseChoice case 1 (license expression), but it can in most cases validate against the case 0 (licenses list).