cyclonedx-cli
cyclonedx-cli copied to clipboard
CycloneDX
referenceCategory error converting from SPDX to CycloneDX
This is the error the tool throws trying to convert from one format to other.
The JSON value could not be converted to CycloneDX.Spdx.Models.v2_2.ExternalRefCategory. Path: $.packages[0].externalRefs[0].referenceCategory
The SPDX file contains this section
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:golang/github.com/hashicorp/[email protected]",
"referenceType": "purl"
}
]
I am getting the same problem with most of the SPDX examples in the BOM-shelter, such as https://github.com/chainguard-dev/bom-shelter/blob/main/in-the-lab/spdx-popular-containers/data/spdx-bom-airbyte_bootloader-sha256%3A2a8e24d79fe158517e492ebfec01797c78cf7008523c3304f933323ea6d97479.json
PACKAGE-MANAGER is a valid enum value and is included for SPDX 2.3 at https://github.com/CycloneDX/sbom-utility/blob/2b232da27b8c144674779ebd26a29cdda20d7880/resources/schema/spdx/2.3/spdx-schema.json#L325
I am not a C# dev and don't know how C# deserializes JSON into enums.
If I edit the spdx json and change the value PACKAGE-MANAGER to PACKAGE_MANAGER the convertion is successful.
This probably has its cause in src/CycloneDX.Spdx/Models/v2_2/ExternalRefCategory.cs
I am also seeing the same issue with 0.24.2. If I change all the PACKAGE-MANAGER entries to PACKAGE_MANAGER, I am able to convert.
I have the same issue. Github (Insights ->Dependency Graph ->Export SBOM) generates SPDX SBOMs also with PACKAGE-MANAGER.
Here is what I have been doing as a work-around:
cat $file | sed 's/PACKAGE-MANAGER/PACKAGE_MANAGER/g; s/"DESCRIBE"/"DESCRIBES"/g' > /tmp/spdx.json && echo "converting $file" && cyclonedx convert --input-file /tmp/spdx.json --input-format spdxjson --output-format json --output-file /tmp/fromspdx/$file
I used a similar sed based workaround as @esnible . The proper way would be adding spdx schema 2.3, as both PACKAGE-MANAGER, PACKAGE_MANAGER are valid there: https://github.com/spdx/spdx-spec/blob/844144b3785dbc6a35065eda3b9d36adda874540/schemas/spdx-schema.json#L328C81-L328C81
We tried to follow the trail of what's going on here. It's a bit confusing, but to expand on what @weichslgartner said:
- The SPDX spec (v2.2.2), under 7.21.1, uses
PACKAGE-MANAGER. - The
spdx-specproject's schema supports bothPACKAGE-MANAGERandPACKAGE_MANAGER. - I think the cyclone dx projects pull the schema from the
cyclonedx-dotnet-libraryproject, which only supportsPACKAGE_MANAGER.
Wouldn't the extremely simple solution be to add PACKAGE_MANAGER to the externalRefs > referenceCategory enum in the file referenced in point 3 above?
I was able to use the approach with Github Enterprise https://docs.github.com/en/[email protected]/rest/dependency-graph/sboms?apiVersion=2022-11-28
The only problem is that the output doesn't include GHAS security vulnerabilities... Is there any other way to include the GHAS data into the SBOM?
NOTE: Note that the API payload wraps the SPDX with
.sbom... so before pipe'ing it to cyclonedx, make sure to unwrap the payload..
curl -s -H "Authorization: token ${GITHUB_TOKEN}" \
https://${GITHUB_API_SERVER}/v3/repos/ORG/REPO/dependency-graph/sbom \ |
sed 's/PACKAGE-MANAGER/PACKAGE_MANAGER/g;' | jq '.sbom' | \
cyclonedx convert --input-format spdxjson --output-format json
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"metadata": {
"timestamp": "2024-08-29T00:15:34Z",
"tools": [
{
"name": "GitHub.com-Dependency",
"version": "Graph"
}
],
"properties": [
{
"name": "spdx:spdxid",
"value": "SPDXRef-DOCUMENT"
},
{
"name": "spdx:document:spdx-version",
"value": "SPDX-2.2"
},
{
"name": "spdx:document:name",
...
}
