Closed howellx closed 3 months ago
@howellx I have seen this before and is normally to do with the metadata processing. I have fixed some issues in the latest version (which will become version 0.7.2) but will check that your SBOMs validate.
@howellx The 1.5 version is using a deprecated Tools specification in the metadata. I have improved the checking so both 1.4 and 1.5 files should now parse correctly.
I ran the following on a CycloneDx 1.5 json file:
from lib4sbom.parser import SBOMParser
sbom_parser = SBOMParser()
sbom_parser.parse_file("...")
print (f"SBOM type {sbom_parser.get_type()}")
sbom_packages = sbom_parser.get_packages()
sbom_relationships = sbom_parser.get_relationships()
It seems like the parser can't properly detect the format type and thus, the parser just returns empty lists. When I ran the same code on a CycloneDx 1.4 json file for the same project, the parser was working. I've attached the files I used below. There is no difference between the files besides the
lifecycles
section in metadata andspecVersion
at the very top. I also ran the same code on a CycloneDx 1.5 xml file for the same project and that worked fine (though GitHub doesn't let us upload xml files).If this issue is a case of user error, please let me know lol. I used the maven plugin to generate these sboms from the project's pom.xml file.
bom_1.4.json bom_1.5.json