CycloneDX .json Version 1.5 error

[howellx]

I ran the following on a CycloneDx 1.5 json file:

from lib4sbom.parser import SBOMParser sbom_parser = SBOMParser() sbom_parser.parse_file("...") print (f"SBOM type {sbom_parser.get_type()}") sbom_packages = sbom_parser.get_packages() sbom_relationships = sbom_parser.get_relationships()

It seems like the parser can't properly detect the format type and thus, the parser just returns empty lists. When I ran the same code on a CycloneDx 1.4 json file for the same project, the parser was working. I've attached the files I used below. There is no difference between the files besides the lifecycles section in metadata and specVersion at the very top. I also ran the same code on a CycloneDx 1.5 xml file for the same project and that worked fine (though GitHub doesn't let us upload xml files).

If this issue is a case of user error, please let me know lol. I used the maven plugin to generate these sboms from the project's pom.xml file.

bom_1.4.json bom_1.5.json

[anthonyharrison]

@howellx I have seen this before and is normally to do with the metadata processing. I have fixed some issues in the latest version (which will become version 0.7.2) but will check that your SBOMs validate.

[anthonyharrison]

@howellx The 1.5 version is using a deprecated Tools specification in the metadata. I have improved the checking so both 1.4 and 1.5 files should now parse correctly.