Validation of newly generated BOM files fails

[ognyandim]

Context

Windows 10

Cyclone versions:

NPM Version: @cyclonedx/cyclonedx-npm@1.7.2 of CycloneDX for NPM .NET Version: 2.7.0 of CycloneDX for .NET

IDEs

VS 2022 VS Code

npm version 9.2.0 node version 18.12.1

Actions

1. Generating NPM and .NET BOMs from the latest boilerplate project on https://aspnetboilerplate.com as is - unpack, restore packages and run the BOM generation as described below

// for the NPM BOM
cyclonedx-npm --output-format "JSON" --output-file "bom.json" 

// for the .NET BOM
dotnet-CycloneDX .\FMS.sln -o ./
dotnet-CycloneDX .\FMS.sln -o ./ -j

The generation is ok.

2. Validation To validate the generated BOMs I am using the hosted version : https://cyclonedx.github.io/cyclonedx-web-tool

The validation tools returns errors on both BOMs

Results

From both validations I get alert : The file is not a valid v1.4 BOM.

From the NPM BOM validation I get : '<' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.

From the .NET BOMs in JSON validation I get: "Validation failed: #/properties/components/items"

From the .NET BOMs in XML validation I get: Validation failed at line number 373 and position 28: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'NOASSERTION' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed.

The resulting BOMs are attached.

BOMs.zip

[stevespringett]

Can you attach the XML BOMs as well. The ZIP only has the JSON one.

[ognyandim]

Hello @stevespringett and thanks for the quick reply. Here there are: .net.bom.json.zip .net.bom.xml.zip npm.bom.json.zip