Validation of BOM Generated by Jake

[msymons]

trafficstars

cyclonedx-cli 0.14.0 is not validating a BOM jake-bom.xml from Sonatype's cyclonedx-sbom-examples repo.

The BOM appears to be schema v1.1 using the vulnerability extension. It is not pretty printed, so here is an edited version:

<bom xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" xmlns="http://cyclonedx.org/schema/bom/1.1" version="1">
  <components>
    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
      <name>yaspin</name>
      <version>0.16.0?extension=tar.gz</version>
      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
    </component>
    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
      <name>wrapt</name>
      <version>1.12.1?extension=tar.gz</version>
      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
    </component>
   </components>
</bom>

This is the output from cyclonedx-cli 0.14.0

$ ./cyclonedx-win-x86.exe validate --input-file jake-bom.xml
Validating XML SBOM...
Invalid namespace URI: expected http://cyclonedx.org/schema/bom/1.2 actual http://cyclonedx.org/schema/bom/1.1

$ ./cyclonedx-win-x86.exe validate --input-file jake-bom.xml --input-format autodetect
Validating XML SBOM...
Invalid namespace URI: expected http://cyclonedx.org/schema/bom/1.2 actual http://cyclonedx.org/schema/bom/1.1

$ ./cyclonedx-win-x86.exe validate --input-file jake-bom.xml --input-format xml_v1_1
Validating XML SBOM...