Closed sebastianbergmann closed 1 year ago
Instead of using xmllint
I've used DOMDocument::schemaValidate user script.
<?php
function libxml_display_error($error)
{
$return = "<br/>\n";
switch ($error->level) {
case LIBXML_ERR_WARNING:
$return .= "<b>Warning $error->code</b>: ";
break;
case LIBXML_ERR_ERROR:
$return .= "<b>Error $error->code</b>: ";
break;
case LIBXML_ERR_FATAL:
$return .= "<b>Fatal Error $error->code</b>: ";
break;
}
$return .= trim($error->message);
if ($error->file) {
$return .= " in <b>$error->file</b>";
}
$return .= " on line <b>$error->line</b>\n";
return $return;
}
function libxml_display_errors() {
$errors = libxml_get_errors();
foreach ($errors as $error) {
print libxml_display_error($error);
}
libxml_clear_errors();
}
libxml_use_internal_errors(true);
$xml = new DOMDocument();
$xml->load('phpunit-10.0.7-sbom.xml');
if (!$xml->schemaValidate('bom-1.4.xsd')) {
print '<b>DOMDocument::schemaValidate() Generated Errors!</b>';
libxml_display_errors();
}
Where :
phpunit-10.0.7-sbom.xml
is contents of phpunit-10.0.7.phar --sbom
commandbom-1.4.xsd
is contents of https://raw.githubusercontent.com/CycloneDX/cyclonedx-php-library/master/res/bom-1.4.SNAPSHOT.xsdScript execution gave me :
<b>DOMDocument::schemaValidate() Generated Errors!</b><br/>
<b>Error 1845</b>: Element '{https://cyclonedx.org/schema/bom/1.4}bom': No matching global declaration available for the validation root. in <b>/shared/backups/bartlett/box-manifest/phpunit-10.0.7-sbom.xml</b> on line <b>2</b>
https://cyclonedx.org/schema/bom/1.4 is what we reference in the generated XML.
Ok got it ! With cyclonedx-cli validate command. Version is not auto-detected, so specify it and you'll get error : easy to fix then !
docker run --rm --user $(id -u):$(id -g) --mount type=bind,source=$PWD,target=/tmp -w /tmp cyclonedx/cyclonedx-cli validate --input-file phpunit-10.0.7-sbom.xml --input-version v1_4
Validating XML BOM...
Invalid namespace URI: expected http://cyclonedx.org/schema/bom/1.4 actual https://cyclonedx.org/schema/bom/1.4
BOM is not valid.
Replace https://github.com/sebastianbergmann/phpunit/blob/main/build/scripts/phar-manifest.php#L54 (https) by (http)
This sounds like an issue with their validator: why do they refuse HTTPS and want HTTP? Sounds silly to me.
Agree with you !
Official specification use http protocol https://cyclonedx.org/docs/1.4/xml/ So unless they choose to use https protocol, I suppose anybody that want to implement their format should follow their specs.
Is https
instead of http
really the only issue here?
They decided (CycloneDX) to use only (at date of today) http
protocol for their specifications. So if you use https
, your results won't be validated.
I get that. But is this the only reason why PHPUnit's SBOM does not validate?
Yes. I've just re-checked at least with PHPUnit 10.0.7 PHAR by their own validator :
docker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw cyclonedx/cyclonedx-cli validate --input-file /app/sbom.xml --input-version v1_4
Thank you!
This sounds like an issue with their validator: why do they refuse HTTPS and want HTTP? Sounds silly to me.
@sebastianbergmann @llaville I feel obliged to point out that in the xmlns
is an URI, not an URL. The XML spec mandates that the xmlns
is to be taken as a literal string, so you have to think the same way of an hash or and uuid. In fact, it can as well be an uuid (under the "urn" schema). The reason why they look like URLs is purely a best-practice, so that they have some meaningful content for the humans and are supposedly world-wide unique (as you are supposed to own the domain you choose in there).
So no, it's not silly at all, using HTTPS instead of HTTP is in fact a big mistake 😄
EDIT: To strengthen the concept above, the "URL" you get out of it does not necessarily point to anything, it can be a 404 or a non-existing subdomain or anything. You are not meant to use it as an URL at all.
@thg2k Thank you for clarifying, and sorry for using the word "silly".
Reported by @llaville in https://github.com/box-project/box/issues/841#issuecomment-1424138539.