Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Utility is passing an invalid SBOM #115

Open
nigellh opened this issue Dec 24, 2024 · 0 comments
Open

Utility is passing an invalid SBOM #115

nigellh opened this issue Dec 24, 2024 · 0 comments

Comments

@nigellh
Copy link

nigellh commented Dec 24, 2024

Unfortunately I cannot give the SBOM, but it would be pretty easy to create.

I had an SBOM that would not load into Dependency Track with a Schema Validation error. Using the latest version of this tool I ran the validation against it and this is the output:

Welcome to the sbom-utility! Version `v0.17.0` (sbom-utility) (darwin/amd64)
============================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `nps_saas_11.2.3.4_20241223_191016-collected-EDITOR/nps_saas_11.2.3.4_20241223_191016-collected-original-sbom.cdx.json`...
[INFO] Successfully unmarshalled data from: `nps_saas_11.2.3.4_20241223_191016-collected-EDITOR/nps_saas_11.2.3.4_20241223_191016-collected-original-sbom.cdx.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Loading schema `schema/cyclonedx/1.4/bom-1.4.schema.json`...
[INFO] Schema `schema/cyclonedx/1.4/bom-1.4.schema.json` loaded.
[INFO] Validating `nps_saas_11.2.3.4_20241223_191016-collected-EDITOR/nps_saas_11.2.3.4_20241223_191016-collected-original-sbom.cdx.json`...
[INFO] BOM valid against JSON schema: `true`

Short version of several hours of work is I tracked it to an entry. The entry in error is as follows:

    {
      "type": "library",
      "bom-ref": "pkg:pypi/[email protected]",
      "supplier": {
        "url": [
          "Not Found"
        ]
      },
      "author": "UNKNOWN",
      "name": "example",
      "version": "21.12",
      "description": "UNKNOWN",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "copyright": "No copyright found",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "Relationship Completeness",
          "value": "Unknown"
        }
      ]
    },

This is the fixed one:


    {
      "type": "library",
      "bom-ref": "pkg:pypi/[email protected]",
      "supplier": {
        "url": [
          ""
        ]
      },
      "author": "UNKNOWN",
      "name": "example",
      "version": "21.12",
      "description": "UNKNOWN",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "copyright": "No copyright found",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "Relationship Completeness",
          "value": "Unknown"
        }
      ]
    },

The difference is in this section:

      "supplier": {
        "url": [
          "Not Found"
        ]
      },

Looking at the spec https://cyclonedx.org/docs/1.5/json/#components_items_supplier_url it clearly states that it needs to be a URL. (Or several of them)

Could the validation tool please be updated to validate this field properly. Thanks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nigellh