Festo-se / cyclonedx-editor-validator

Tool for creating, modifying and validating CycloneDX SBOMs.
https://festo-se.github.io/cyclonedx-editor-validator/
GNU General Public License v3.0
21 stars 4 forks source link

Validate sometimes gives nonsensical error messages #259

Open mmarseu opened 3 months ago

mmarseu commented 3 months ago

The code in validate.py which is intended to turn jsonschema validation errors into helpful messages fails catastrophically in some cases. The result is a message which points the user in the wrong direction.

Take this SBOM for example:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
    "component": {
      "type": "application",
      "name": "demo",
      "licenses": [
        {
          "license": {
            "id": "MIT",
            "licensing": {
              "licenseTypes": [
                "foo"
              ]
            }
          }
        }
      ]
    }
  }
}

Expected result: A message informing the user that foo is not a valid value for licenseTypes.

Actual result:

$> cdx-ev validate test.cdx.json
ERROR: Invalid SBOM (component: demo) - 'foo', 'license' or 'expression' is a required property