cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

MergeCommand: add options to --validate-output(-relaxed) …

Open jimklimov opened this issue 2 years ago • 0 comments

…and optionally avoid writing an invalid document

Came up while testing https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/245 but is a relatively independent feature, given that we juggle several versions of faulty merge generator and JSON validator (in-tree and after respective PR merges).

This little change compiles independently and can also be used to check the original bug for that PR in one command, not two (merge+validate) and even allows to protect the output file from changes ;)

In-tree code sees no evil, hears no evil, does not complain.

Library with validate-json-bomref branch does complain for the same inputs:

...
Processing input file tpb-cucumber-2.5.14-cyclonedx.json
    Contains 180 components
Processing input file tpb-cucumber-2.5.21-cyclonedx.json
    Contains 180 components
Processing input file tpb-cucumber-2.5.26-cyclonedx.json
    Contains 180 components
Processing input file tpb-cucumber-2.6.1-cyclonedx.json
    Contains 184 components
Loaded 317 input document(s) with 28886 components originally (overlaps to merge are possible)      
Beginning merge processing (this can take a while)
Validating merged BOM...
'bom-ref' value of pkg:maven/com.google.errorprone/[email protected]?type=jar: expected 1 mention, actual 3
'bom-ref' value of pkg:maven/io.cucumber/[email protected]?type=jar: expected 1 mention, actual 2
'bom-ref' value of pkg:maven/io.cucumber/[email protected]?type=jar: expected 1 mention, actual 2
'bom-ref' value of pkg:maven/io.cucumber/[email protected]?type=jar: expected 1 mention, actual 2
'bom-ref' value of pkg:maven/io.cucumber/[email protected]?type=jar: expected 1 mention, actual 2
'bom-ref' value of pkg:maven/io.cucumber/[email protected]?type=jar: expected 1 mention, actual 2
'bom-ref' value of pkg:maven/io.cucumber/[email protected]?type=jar: expected 1 mention, actual 2
...
Merged BOM is not valid.
    Total 1352 components


real    1m41.539s
user    0m0.015s
sys     0m0.015s

$ echo $?
6
  • note the lack of Writing output file... ;)

FWIW, with the full stack of relevant PRs in discussion applied locally, it is much faster and does dedup well (definition of "well" may vary though, see https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/245):

...
Loaded 317 input document(s) with 28886 components originally (overlaps to merge are possible)      
Beginning merge processing (this can take a while)
Validating merged BOM...
Merged BOM validated successfully.
Writing output file...
    Total 661 components

real    0m17.277s
user    0m0.000s
sys     0m0.046s

jimklimov avatar Aug 21 '23 16:08 jimklimov