Providing a more helpful message

[bsoroushian]

trafficstars

Tried to validate a sbom using cyclonedx-cli command:

cyclonedx validate --input-format json --input-file /tmp/scan-trivy.cdx --fail-on-errors --input-version v1_4

What I expected: Invalid sboms should result in a clear and specific error message. (for example something like what sbom-utility prints)

[ERROR] invalid SBOM: schema errors found (/tmp/scan-trivy.cdx):
(2) Schema errors detected (use `--debug` for more details):
	1. Type: [unique], Field: [dependencies.37.dependsOn], Description: [array items[0,1] must be unique]
	Failing object: [[
	  "pkg:deb/debian/[email protected]+deb11u6?arch=amd64&distro=debian-11.7",
	  "pkg:deb/debi ... (truncated)
	2. Type: [unique], Field: [dependencies.79.dependsOn], Description: [array items[0,1] must be unique]
	Failing object: [[
	  "pkg:deb/debian/[email protected]?arch=all&distro=debian-11.7",
	  "pkg:deb/debian/debcon ... (truncated)
[INFO] document `/tmp/scan-trivy.cdx`: valid=[false]
exit status 2

What happened: cyclonedx-cli output was not specific enough to identify the problem

Validating JSON BOM...
Validation failed:
#/properties/dependencies/items
BOM is not valid.

[andreas-hilti]

https://github.com/CycloneDX/cyclonedx-cli/pull/317 should help in this respect (even if it might not completely resolve it).