Closed bretik closed 1 year ago
Hmm. The test must be broken then. Will have a look. Thanks.
Yeah, I had time to look in the test and it looks like it does not add any components to the output, so it tests only empty array of identified libraries which is valid.
using .flat()
on the components in cyclonedx-json.js
might solve the issue, but there is another one - if the condition for already seen component is true, than empty string is added to the array instead of not adding anything (if (seen[purl]) return "";
), so it needs to be filtered out too.
Thanks, that '' was a copy/past bug from the XML output. I really should rewrite to TypeScript at some point...
Fixed the bug in the test as well, and it's now passing with components in it.
Retire.js version: (
retire --version
): 3.2.1node version: (
node --version
): v18.13.0Type: Bug
Description: Using following command, Retire.js generates invalid CycloneDX SBOM:
retire --exitwith 0 --verbose --outputformat cyclonedxJSON --js --jspath jquery --outputpath sbom/sbom-jquery.json
The components array is "duplicated":
Using JSON schema validator results in error:![image](https://user-images.githubusercontent.com/649117/216254155-a4a9cacb-b6c8-4458-821c-3d2dc52e41ab.png)
https://www.jsonschemavalidator.net/s/nWflHPw8
Expected behaviour: SBOM will be valid against the schema
Workaround The output can be fixed using jq:
cat sbom.json | jq ".components = .components[0]" > sbom-fixed.json