devops-kung-fu / trustier

Takes a software bill of materials and outputs provenance, and activity data from trustypkg.dev
Mozilla Public License 2.0
10 stars 1 forks source link

Fails to process valid CycloneDX SBOM #5

Open anthonyharrison opened 1 month ago

anthonyharrison commented 1 month ago

Tried with a CycloneDX 1.5 SBOM. SBOM validated using the CycloneDX Validator tool but it fails to process. No idea why! Could error messages be added to the output to explain why the SBOM doesn't validate?

DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/trustier

* Reading SBOM from file...
* Loaded SBOM from input...
* Provided input is not a valid SBOM

The (sensitive) SBOM contains over 700 components, the majority are files but there are 13 components identified as library.

djschleen commented 1 month ago

Hey @anthonyharrison thanks for logging this. I'm using the Rust crate from CycloneDX to load and process the SBOM. They have a validate function that I call but has seemed to cause problems. Likely an opinionated check - there were a few fields I noticed from components that were needed - but for the sake of trustier operation, not needed.

I'll take a look and see if I can get a list of errors back and display them, but I'm thinking that as long as the SBOM can be loaded, and trustier has the fields it needs, then we don't error out.