Closed nicolaihenriksen closed 1 month ago
mtsfoni
commented
1 month ago most likely related to: https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/218
The generator tools creates a List of licenses in the Component and fills multiple licenses in that. Looks alright so far.
nicolaihenriksen
commented
1 month ago @mtsfoni You are absolutely correct, that seems to be the same issue. I must not have been thorough enough when searching for existing issues; perhaps because it seems there are mostly PRs opened, not really issues.
I will close this as a duplicate of the PRs below (or covered by): https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/218 https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/187
This really should be logged as an issue rather than a PR, but doing a PR allows me to extend an existing validation test-case to provoke the error that I am seeing.
The
CsvHelpernuget package is listed on nuget.org with this license info:This can also be confirmed by looking in the *.nuspec file of the package:
The BOM (all versions I have dealt with so far) schema definition states that the
<licenses>element should appear 0 or 1 times. This is why the serialized Bom is invalid, because the output looks like the snippet below where there are 2licenseselements instead of nesting bothlicenseelements into a single "collection":Expected something like this instead:
I suspect the issue may even be in the cyclonedx-dotnet-library rather than in this repository, but it was easier to demonstrate the issue here.
When I run the test suite including my change below, you can see that it passes the JSON variant, but fails the XML. I suspect the same will happen in the pipeline upon opening this PR. I have ticked "Allow edits by maintainers" so feel free to add the fix directly on my fork/branch if you think that is appropriate (and even possible).