cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

CycloneDX CLI seems to output invalid BOM when license exists with empty name

Open rmartine-ias opened this issue 1 year ago • 0 comments

We started getting validation errors for merged BOMs recently, that the license schema was invalid:

#/components/152/licenses/0/license: Expected 1 matching subschema but found 0

Upon inspection, this is because the BOM generated by cyclonedx-cli has components like this:

Full component from BOM

(As a side issue, the Chinese characters are not handled correctly)

    {
      "type": "library",
      "bom-ref": "pkg:maven/com.aliyun/[email protected]?type=jar",
      "group": "com.aliyun",
      "name": "aliyun-java-sdk-ram",
      "version": "3.1.0",
      "description": "Aliyun Open API SDK for Java Copyright (C) Alibaba Cloud Computing All rights reserved. \u7248\u6743\u6240\u6709 \uFF08C\uFF09\u963F\u91CC\u4E91\u8BA1\u7B97\u6709\u9650\u516C\u53F8 http://www.aliyun.com",
      "hashes": [
        {
          "alg": "MD5",
          "content": "4993d72b4b59a3a895210a94cda33af4"
        },
        {
          "alg": "SHA-1",
          "content": "095454c18fb12f8fcdbeae4747adfa29bfe6bf17"
        },
        {
          "alg": "SHA-256",
          "content": "cab0f01bd0ae3dbefd047401b58836ecc6e207e0eb5af18a959e211cb35080a1"
        },
        {
          "alg": "SHA-384",
          "content": "8acbadce5b682f72bf6d8c170ee8b9cbedbfd0cee57ba7f7f9af21477deb4a223625821784af1d5cf447cef179c29583"
        },
        {
          "alg": "SHA-512",
          "content": "7db9aa83ea06858b35034b8cf8b6bbf3d72763ade4182962f2cba44e184a32d394787bda2f329d30a603fcae812bd66ebc8887c27c507e366e92e9a73ff3317b"
        },
        {
          "alg": "SHA3-256",
          "content": "d4765912b8a8ad3bd4386c8161e7e4d39fa54c8a1a1bca4611b2532fc19e1f7b"
        },
        {
          "alg": "SHA3-384",
          "content": "ea700d7386857e2acb23fb2ea8aa36455f705a56c66909c8123167e3c77d2ade13b24053b7853731b58af72f4d0f13fd"
        },
        {
          "alg": "SHA3-512",
          "content": "cbf966e5b4e67f646871f150c04d19686e78c188888cbbf1ca716c3f1eee5289062fad2edc7b75c73f78f46a9bf36827d87519c25d7ea3b60d9af7b1494b1fac"
        }
      ],
      "licenses": [
        {
          "license": {}
        }
      ],
      "purl": "pkg:maven/com.aliyun/[email protected]?type=jar",
      "externalReferences": [
        {
          "url": "https://oss.sonatype.org/service/local/staging/deploy/maven2/",
          "type": "distribution"
        },
        {
          "url": "https://github.com/aliyun/aliyun-openapi-java-sdk",
          "type": "vcs"
        }
      ]
    },

Note this line:

      "licenses": [
        {
          "license": {}
        }
      ],

This is in violation of the spec, where each license must have a name or ID.

The source BOM which instigated this has the following component:

Component from source BOM ```json { "group" : "com.aliyun", "name" : "aliyun-java-sdk-ram", "version" : "3.1.0", "description" : "Aliyun Open API SDK for Java Copyright (C) Alibaba Cloud Computing All rights reserved. 版权所有 (C)阿里云计算有限公司 http://www.aliyun.com", "hashes" : [ { "alg" : "MD5", "content" : "4993d72b4b59a3a895210a94cda33af4" }, { "alg" : "SHA-1", "content" : "095454c18fb12f8fcdbeae4747adfa29bfe6bf17" }, { "alg" : "SHA-256", "content" : "cab0f01bd0ae3dbefd047401b58836ecc6e207e0eb5af18a959e211cb35080a1" }, { "alg" : "SHA-384", "content" : "8acbadce5b682f72bf6d8c170ee8b9cbedbfd0cee57ba7f7f9af21477deb4a223625821784af1d5cf447cef179c29583" }, { "alg" : "SHA-512", "content" : "7db9aa83ea06858b35034b8cf8b6bbf3d72763ade4182962f2cba44e184a32d394787bda2f329d30a603fcae812bd66ebc8887c27c507e366e92e9a73ff3317b" }, { "alg" : "SHA3-256", "content" : "d4765912b8a8ad3bd4386c8161e7e4d39fa54c8a1a1bca4611b2532fc19e1f7b" }, { "alg" : "SHA3-384", "content" : "ea700d7386857e2acb23fb2ea8aa36455f705a56c66909c8123167e3c77d2ade13b24053b7853731b58af72f4d0f13fd" }, { "alg" : "SHA3-512", "content" : "cbf966e5b4e67f646871f150c04d19686e78c188888cbbf1ca716c3f1eee5289062fad2edc7b75c73f78f46a9bf36827d87519c25d7ea3b60d9af7b1494b1fac" } ], "licenses" : [ { "license" : { "name" : "" } } ], "purl" : "pkg:maven/com.aliyun/[email protected]?type=jar", "externalReferences" : [ { "type" : "distribution", "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" }, { "type" : "vcs", "url" : "https://github.com/aliyun/aliyun-openapi-java-sdk" } ], "type" : "library", "bom-ref" : "pkg:maven/com.aliyun/[email protected]?type=jar" }, ```

See these lines:

      "licenses" : [
        {
          "license" : {
            "name" : ""
          }
        }
      ],

This is not correct either, but cyclonedx-cli could handle it more gracefully. The expected behavior would be for merge and convert to take license arrays like the above and generate "licenses" : [] from them, instead of empty license objects.

rmartine-ias avatar Jun 29 '23 22:06 rmartine-ias