search

eclipse-sw360 / sw360

SW360 project
https://www.eclipse.org/sw360/
Other
117 stars 96 forks source link

SBOM export - file validation failed #2379

Open JackieOss opened 4 months ago

JackieOss commented 4 months ago

Description

After exporting an SBOM in cycloneDX v1.4 format the validation failed. the first issue is that with the sequence the first entry misses type attribute, which is mandatory according to the xml scheme E.g.

zlib After correction to The next issue is: Validation failed at line number 29 and position 63: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'Zlib License - Jean-loup Gailly and Mark Adler' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed. #### How to reproduce - Export SBOM as cycloneDX in XML format. - Download CLI tool from https://github.com/CycloneDX/cyclonedx-cli - Execute .\cyclonedx-win-x64.exe validate --input-version v1_4 --input-format xml --input-file #### Screenshots zlib 1.2.8 zlib is a library implementing the deflate compression method found in gzip and PKZIP BSL-1.0 Zlib License - Jean-loup Gailly and Mark Adler Zlib zLib License __ZLIB License {Zlib} GPL-3.0+ -- https://zlib.net/ ### Versions Version: 18.0.0 | Branch: UNKNOWN (fd29ef6) | Build time: 2024-01-15T06:30:33Z ### Logs Any logs (if any) generated in #### SW360 logs Logs generated under /var/log/sw360/sw360.log #### Tomcat logs Logs generated under /var/log/tomcat/error.log
JackieOss commented 4 months ago

"screenshot" Validating XML BOM... Validation failed at line number 29 and position 63: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'Zlib License - Jean-loup Gailly and Mark Adler' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed. BOM is not valid.

afsahsyeda commented 4 months ago

Hi @JackieOss the CycloneDX Component Type field of a component has to be populated for the type field to appear in the exported SBOM. As far as the licenses are considered, they are read as it is from the Main and Other Licenses which are present at the Release level. We can provide a validation at SW360 level in order to prevent the export of an invalid SBOM and also allow the user to configure the addition of Licenses. Thanks for your input!