Custom validation applies components requirements to tools

Festo-se / cyclonedx-editor-validator

Tool for creating, modifying and validating CycloneDX SBOMs.

https://festo-se.github.io/cyclonedx-editor-validator/

GNU General Public License v3.0

15 stars 4 forks source link

Custom validation applies components requirements to tools #209

Open mmarseu opened 3 weeks ago

mmarseu commented 3 weeks ago

This is a side-effect of the change to the tools field in CDX 1.5. When tools is an object, it can contain two arrays: components and services. The official schema applies the regular schemas for those two types to the arrays, which makes sense for them.

In our custom schema that means that all requirements meant for components automatically also apply to tools - for example, bom-ref, copyright, license, etc. This is arguably nonsense and should be changed.

italvi commented 2 weeks ago

Would expect that something like that is covered by our tests 😅

CBeck-96 commented 2 weeks ago

The tests only cover fields contained in our CB specification, tools is not among them.