Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CycloneDX CLI seems to output invalid BOM when license exists with empty name #325

Open
rmartine-ias opened this issue Jun 29, 2023 · 0 comments
Open

CycloneDX CLI seems to output invalid BOM when license exists with empty name #325

rmartine-ias opened this issue Jun 29, 2023 · 0 comments

Comments

@rmartine-ias
Copy link

rmartine-ias commented Jun 29, 2023
edited

We started getting validation errors for merged BOMs recently, that the license schema was invalid:

#/components/152/licenses/0/license: Expected 1 matching subschema but found 0

Upon inspection, this is because the BOM generated by cyclonedx-cli has components like this:

Full component from BOM

(As a side issue, the Chinese characters are not handled correctly)

    {
      "type": "library",
      "bom-ref": "pkg:maven/com.aliyun/[email protected]?type=jar",
      "group": "com.aliyun",
      "name": "aliyun-java-sdk-ram",
      "version": "3.1.0",
      "description": "Aliyun Open API SDK for Java Copyright (C) Alibaba Cloud Computing All rights reserved. \u7248\u6743\u6240\u6709 \uFF08C\uFF09\u963F\u91CC\u4E91\u8BA1\u7B97\u6709\u9650\u516C\u53F8 http://www.aliyun.com",
      "hashes": [
        {
          "alg": "MD5",
          "content": "4993d72b4b59a3a895210a94cda33af4"
        },
        {
          "alg": "SHA-1",
          "content": "095454c18fb12f8fcdbeae4747adfa29bfe6bf17"
        },
        {
          "alg": "SHA-256",
          "content": "cab0f01bd0ae3dbefd047401b58836ecc6e207e0eb5af18a959e211cb35080a1"
        },
        {
          "alg": "SHA-384",
          "content": "8acbadce5b682f72bf6d8c170ee8b9cbedbfd0cee57ba7f7f9af21477deb4a223625821784af1d5cf447cef179c29583"
        },
        {
          "alg": "SHA-512",
          "content": "7db9aa83ea06858b35034b8cf8b6bbf3d72763ade4182962f2cba44e184a32d394787bda2f329d30a603fcae812bd66ebc8887c27c507e366e92e9a73ff3317b"
        },
        {
          "alg": "SHA3-256",
          "content": "d4765912b8a8ad3bd4386c8161e7e4d39fa54c8a1a1bca4611b2532fc19e1f7b"
        },
        {
          "alg": "SHA3-384",
          "content": "ea700d7386857e2acb23fb2ea8aa36455f705a56c66909c8123167e3c77d2ade13b24053b7853731b58af72f4d0f13fd"
        },
        {
          "alg": "SHA3-512",
          "content": "cbf966e5b4e67f646871f150c04d19686e78c188888cbbf1ca716c3f1eee5289062fad2edc7b75c73f78f46a9bf36827d87519c25d7ea3b60d9af7b1494b1fac"
        }
      ],
      "licenses": [
        {
          "license": {}
        }
      ],
      "purl": "pkg:maven/com.aliyun/[email protected]?type=jar",
      "externalReferences": [
        {
          "url": "https://oss.sonatype.org/service/local/staging/deploy/maven2/",
          "type": "distribution"
        },
        {
          "url": "https://github.com/aliyun/aliyun-openapi-java-sdk",
          "type": "vcs"
        }
      ]
    },

Note this line:

      "licenses": [
        {
          "license": {}
        }
      ],

This is in violation of the spec, where each license must have a name or ID.

The source BOM which instigated this has the following component:

Component from source BOM ```json { "group" : "com.aliyun", "name" : "aliyun-java-sdk-ram", "version" : "3.1.0", "description" : "Aliyun Open API SDK for Java Copyright (C) Alibaba Cloud Computing All rights reserved. 版权所有 (C)阿里云计算有限公司 http://www.aliyun.com", "hashes" : [ { "alg" : "MD5", "content" : "4993d72b4b59a3a895210a94cda33af4" }, { "alg" : "SHA-1", "content" : "095454c18fb12f8fcdbeae4747adfa29bfe6bf17" }, { "alg" : "SHA-256", "content" : "cab0f01bd0ae3dbefd047401b58836ecc6e207e0eb5af18a959e211cb35080a1" }, { "alg" : "SHA-384", "content" : "8acbadce5b682f72bf6d8c170ee8b9cbedbfd0cee57ba7f7f9af21477deb4a223625821784af1d5cf447cef179c29583" }, { "alg" : "SHA-512", "content" : "7db9aa83ea06858b35034b8cf8b6bbf3d72763ade4182962f2cba44e184a32d394787bda2f329d30a603fcae812bd66ebc8887c27c507e366e92e9a73ff3317b" }, { "alg" : "SHA3-256", "content" : "d4765912b8a8ad3bd4386c8161e7e4d39fa54c8a1a1bca4611b2532fc19e1f7b" }, { "alg" : "SHA3-384", "content" : "ea700d7386857e2acb23fb2ea8aa36455f705a56c66909c8123167e3c77d2ade13b24053b7853731b58af72f4d0f13fd" }, { "alg" : "SHA3-512", "content" : "cbf966e5b4e67f646871f150c04d19686e78c188888cbbf1ca716c3f1eee5289062fad2edc7b75c73f78f46a9bf36827d87519c25d7ea3b60d9af7b1494b1fac" } ], "licenses" : [ { "license" : { "name" : "" } } ], "purl" : "pkg:maven/com.aliyun/[email protected]?type=jar", "externalReferences" : [ { "type" : "distribution", "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" }, { "type" : "vcs", "url" : "https://github.com/aliyun/aliyun-openapi-java-sdk" } ], "type" : "library", "bom-ref" : "pkg:maven/com.aliyun/[email protected]?type=jar" }, ```

See these lines:

      "licenses" : [
        {
          "license" : {
            "name" : ""
          }
        }
      ],

This is not correct either, but cyclonedx-cli could handle it more gracefully. The expected behavior would be for merge and convert to take license arrays like the above and generate "licenses" : [] from them, instead of empty license objects.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rmartine-ias