search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
359 stars 56 forks source link

[TESTS]: The test sample BOMs in the different formats should be consistent #513

Open andreas-hilti opened 2 weeks ago

andreas-hilti commented 2 weeks ago

Describe the feature

tools\src\test\resources\1.6 contains many valid BOMs in all three serialization formats (JSON, xml, textproto). However, in many cases their content varies in the three different forms. I would like to ensure that they represent the same content (as much as possible). This would allow to test whether implementations support the three formats correctly (see for instance https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/331). This allowed me in particular to identify several issues in the cyclonedx-dotnet-library implementation.

If possible, this should also be respected when adding new samples in the future.

Possible solutions

Adjust the test sample files (using in most cases the JSON files as reference). (This applies only to the valid files that are available in the three formats.)

Alternatives

We could also add adjusted samples to the implementation repos (like cyclonedx-dotnet-library). However, this would lead to quite some duplication.

Additional context

The three format have slight differences, thus it might not be 100% semantically equivalent. However, the samples also highlight some inconsistences (and thus could also help to avoid future inconsistencies). One difference is for instance that the proto format does not distinguish between an empty list and a null value.

jkowalleck commented 2 weeks ago

@andreas-hilti is working on a solution: https://github.com/CycloneDX/specification/pull/514