All required properties should have "minLength": 1
#461
Labels
Milestone
Comments
|
Thanks @Brcrwilliams. We'll add this to the 2.0 backlog. |
2 tasks
2 tasks
nscuro
added a commit
to nscuro/dependency-track
that referenced
this issue
Sep 13, 2024
`component.name` and `service.name` are required as per CycloneDX specification, but the schema doesn't sufficiently enforce this requirement (CycloneDX/specification#461). Because DT trims names from the BOM during model conversion, empty or blank names end up becoming `null`. Since the respective database columns have a `NOT NULL` constraint on them, inserting or updating such components will always fail. Usually we would not want to try to "repair" data, but the name being empty appears to be so common that there's no other sensible way for us to deal with it. With this change, empty names will end up being saved as `-` instead, to signal the absence of a proper value. Fixes DependencyTrack#2821 Signed-off-by: nscuro <[email protected]>
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If a property is required, it should also not be an empty string. There are many places in the BOM schema where we use
"required": [...]but do not also verify that these properties have"minLength": 1.An example is
.components[].name:specification/schema/bom-1.6.schema.json
Line 831 in 8e131b1
It may be that optional properties should have this constraint as well. Consider the following example:
{ "type": "library", "name": "whatever", "version": "" }If
whateverdoes not have a version, it would be more clear if that key were to be omitted rather than provided as an empty string.The text was updated successfully, but these errors were encountered: