cyclonedx-cli
cyclonedx-cli copied to clipboard
Published
20 hours ago •
CycloneDX
CycloneDX
`Instance validation error: 'sha1' is not a valid value for HashAlgorithm` when merging SBOMs
I've tried to merge SBOMs, in 1 of which there is next component:
<component bom-ref="pkg:maven/org.jpype/org.jpype?syft-id=5d40072348582790" type="library">
<name>org.jpype</name>
<cpe>cpe:2.3:a:org.jpype:org.jpype:*:*:*:*:*:*:*:*</cpe>
<purl>pkg:maven/org.jpype/org.jpype</purl>
<externalReferences>
<reference type="build-meta">
<url></url>
<hashes>
<hash alg="sha1">c65b70607ea15cc2d95efdf4e2ea94ce65100eb6</hash>
</hashes>
</reference>
</externalReferences>
<properties>
<property name="syft:package:foundBy">java-cataloger</property>
<property name="syft:package:language">java</property>
<property name="syft:package:metadataType">JavaMetadata</property>
<property name="syft:package:type">java-archive</property>
<property name="syft:location:0:layerID">sha256:531683537a69f672df2f68b5a23a3060046e48325191c517a9fd08dfe923a430</property>
<property name="syft:location:0:path">/home/dragent/.local/share/virtualenvs/dragent-WrTQ1u9h/lib/python3.8/site-packages/org.jpype.jar</property>
<property name="syft:metadata:virtualPath">/home/dragent/.local/share/virtualenvs/dragent-WrTQ1u9h/lib/python3.8/site-packages/org.jpype.jar</property>
</properties>
</component>
When I've executed the command:
cyclonedx-cli merge --group GRP --name Nmae --version 2.0 \
--input-files ${NGINX_REPORTS}/Details/Anchore-SBOM.xml ${NGINX_REPORTS}/Details/CI-SBOM.xml \
--output-file ${NGINX_REPORTS}/Details/Anchore-SBOM-merged.xml
I've got next error:
Processing input file /home/<...>/reports/Details/Anchore-SBOM.xml
Unhandled exception: System.InvalidOperationException: There is an error in XML document (7694, 19).
---> System.InvalidOperationException: Instance validation error: 'sha1' is not a valid value for HashAlgorithm.
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read2_HashAlgorithm(String s)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read4_Hash(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read6_ExternalReference(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read30_Component(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read50_Bom(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read51_bom()
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle)
at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream)
at CycloneDX.Xml.Serializer.Deserialize(MemoryStream xmlStream)
at CycloneDX.Xml.Serializer.Deserialize(Stream xmlStream)
at CycloneDX.Cli.CliUtils.InputBomHelper(String filename, CycloneDXBomFormat format)
at CycloneDX.Cli.Commands.MergeCommand.InputBoms(IEnumerable`1 inputFilenames, CycloneDXBomFormat inputFormat, Boolean outputToConsole)
at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options)
at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context)
at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass23_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass27_0.<<UseVersionOption>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass25_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__24_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass11_0.<<UseDebugDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__10_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass14_0.<<UseExceptionHandler>b__0>d.MoveNext()
BTW, before merging I did validation for both SBOMs and this issue was not reported:
Validating XML BOM...
Validation failed at line number 4911 and position 19: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'GD' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed.
BOM is not valid.
Validating XML BOM...
BOM validated successfully.
The reported issue during validation is already reported here as separate ticket and located higher in the SBOM file than this one, so 2 cases possible:
- Validate command fails on 1st issue and doesn't validate rest of the file at all
- Validate command doesn't detect this case as issue, while merge command fails to process it
According to the specification
https://cyclonedx.org/docs/1.4/xml/#type_hashAlg
the hashing algorithm needs to be SHA-1 not 'sha1.
