Closed Scanteianu closed 1 month ago
Hello,
I use this library to generate a Vulnerability Disclosure Report for Adoptium Temurin (OpenJDK Build): https://github.com/adoptium/temurin-vdr-generator/blob/main/cvereporter/report.py As an example, see https://github.com/adoptium/temurin-vdr-generator/actions/runs/9914996771 However, it doesn't pass validation on https://cyclonedx.github.io/cyclonedx-web-tool/convert which I'm guessing is powered by https://github.com/CycloneDX/sbom-utility
It would be nice if the library could somehow prevent me from generating an invalid sbom.
Errors from running the utility locally include:
Welcome to the sbom-utility! Version `v0.16.0` (sbom-utility) (windows/amd64) ============================================================================= [INFO] Loading (embedded) default schema config file: `config.json`... [INFO] Loading (embedded) default license policy file: `license.json`... [INFO] Attempting to load and unmarshal data from: `vdr.json`... [INFO] Successfully unmarshalled data from: `vdr.json` [INFO] Determining file's BOM format and version... [INFO] Determined BOM format, version (variant): `CycloneDX`, `1.4` (latest) [INFO] Matching BOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json [INFO] Loading schema `schema/cyclonedx/1.4/bom-1.4.schema.json`... [INFO] Schema `schema/cyclonedx/1.4/bom-1.4.schema.json` loaded. [INFO] Validating `vdr.json`... [INFO] BOM valid against JSON schema: `false` [INFO] (1157) schema errors detected. [INFO] Formatting error results (`txt` format)... [INFO] Too many errors. Showing (10/1157) errors. 1. { "type": "invalid_type", "field": "metadata.component.supplier", "context": "(root).metadata.component.supplier", "description": "Invalid type. Expected: object, given: string", "value": "Eclipse foundation" } 2. { "type": "invalid_type", "field": "vulnerabilities.0.ratings.0.score", "context": "(root).vulnerabilities.0.ratings.0.score", "description": "Invalid type. Expected: number, given: string", "value": "7.5" } 3. { "type": "invalid_type", "field": "vulnerabilities.0.ratings.1.source", "context": "(root).vulnerabilities.0.ratings.1.source", "description": "Invalid type. Expected: object, given: string", "value": "https://openjdk.org/groups/vulnerability/advisories/2019-04-16" } 4. { "type": "invalid_type", "field": "vulnerabilities.0.ratings.1.score", "context": "(root).vulnerabilities.0.ratings.1.score", "description": "Invalid type. Expected: number, given: string", "value": "7.5" } 5. { "type": "number_one_of", "field": "vulnerabilities.0.affects.0.versions.0", "context": "(root).vulnerabilities.0.affects.0.versions.0", "description": "Must validate one and only one schema (oneOf)", "value": "11.0.2" } 6. { "type": "number_one_of", "field": "vulnerabilities.0.affects.0.versions.1", "context": "(root).vulnerabilities.0.affects.0.versions.1", "description": "Must validate one and only one schema (oneOf)", "value": "12" } 7. { "type": "number_one_of", "field": "vulnerabilities.0.affects.0.versions.2", "context": "(root).vulnerabilities.0.affects.0.versions.2", "description": "Must validate one and only one schema (oneOf)", "value": "7u211" } 8. { "type": "number_one_of", "field": "vulnerabilities.0.affects.0.versions.3", "context": "(root).vulnerabilities.0.affects.0.versions.3", "description": "Must validate one and only one schema (oneOf)", "value": "8u202" } 9. { "type": "invalid_type", "field": "vulnerabilities.1.ratings.0.score", "context": "(root).vulnerabilities.1.ratings.0.score", "description": "Invalid type. Expected: number, given: string", "value": "5.9" } 10. { "type": "invalid_type", "field": "vulnerabilities.1.ratings.1.source", "context": "(root).vulnerabilities.1.ratings.1.source", "description": "Invalid type. Expected: object, given: string", "value": "https://openjdk.org/groups/vulnerability/advisories/2019-04-16" } [ERROR] invalid SBOM: schema errors found (vdr.json) [INFO] document `vdr.json`: valid=[false]
Hello,
I use this library to generate a Vulnerability Disclosure Report for Adoptium Temurin (OpenJDK Build): https://github.com/adoptium/temurin-vdr-generator/blob/main/cvereporter/report.py As an example, see https://github.com/adoptium/temurin-vdr-generator/actions/runs/9914996771 However, it doesn't pass validation on https://cyclonedx.github.io/cyclonedx-web-tool/convert which I'm guessing is powered by https://github.com/CycloneDX/sbom-utility
It would be nice if the library could somehow prevent me from generating an invalid sbom.
Errors from running the utility locally include: