Validating CycloneDX fails without internet connectivity

[pasieronen]

When I try to validate any CycloneDX JSON SBOM, sbom-utility tries to download the following URLs, and fails if I turn off my WiFi:

[WARN] unable to load referenced schema over HTTP: "Get "http://cyclonedx.org/schema/spdx.schema.json": dial tcp: lookup cyclonedx.org: no such host"
 retrying...
[WARN] unable to load referenced schema over HTTP: "Get "http://cyclonedx.org/schema/jsf-0.82.schema.json": dial tcp: lookup cyclonedx.org: no such host"
 retrying...

I'm using sbom-utility version v0.17.0.

[mrutkows]

@pasieronen yes, the actual canonical CycloneDX spec. imports these as dependencies. Without either subverting the canonical schema file or doing extra-ordinary things to somehow inject some callback/fake lookup in the schema loader (which is a 3rd party lib.).

For the first part, I will speak with my fellow maintainers of the spec. for next version (1.7) to see if we can find perhaps a way to "in-line" the other JSON schemas instead of importing (or other alternatives...). For the latter option, would love help if you would like to look at the code and would be happy to meet and walk through the relevant files/code snippets. The first thing to try is writing a custom schema loaded as per: https://github.com/xeipuuv/gojsonschema?tab=readme-ov-file#loading-local-schemas.

The custom schema loaded may be the path to try... let me see if I can attempt and see how easy/hard this is, but please feel free to jump in ;)

[mrutkows]

@pasieronen Created https://github.com/CycloneDX/sbom-utility/releases/tag/v0.17.1-pre just for you ;)

[pasieronen]

Thanks! I tried v0.17.1-pre, and it worked fine without internet access (and found couple of minor validation errors in the SBOMs I had).