search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
338 stars 57 forks source link

bom-1.5.xsd does not compile #390

Closed jzampieron closed 4 months ago

jzampieron commented 4 months ago

The CycloneDX XML Schema is an invalid Schema as downloaded from github.

$ xmllint --noout --schema ~/tmp/bom-1.5.xsd ./build/reports/bom.xml 
error : Unknown IO error
warning: failed to load external entity "http://cyclonedx.org/schema/spdx"
/Users/jeffrey.zampieron/tmp/bom-1.5.xsd:27: element import: Schemas parser warning : Element '{http://www.w3.org/2001/XMLSchema}import': Failed to locate a schema at location 'http://cyclonedx.org/schema/spdx'. Skipping the import.
/Users/jeffrey.zampieron/tmp/bom-1.5.xsd:644: element element: Schemas parser error : element decl. '{http://cyclonedx.org/schema/bom/1.5}id', attribute 'type': The QName value '{http://cyclonedx.org/schema/spdx}licenseId' does not resolve to a(n) type definition.
WXS schema /Users/jeffrey.zampieron/tmp/bom-1.5.xsd failed to compile

Looks like the URLs are invalid.

stevespringett commented 4 months ago

The error message is saying that it cannot find the SPDX subschema, which you'll also need to download.