cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Incorrect Purl element instead of purl in evidence section

Open dominikdesmit opened this issue 1 year ago • 0 comments

When using version 0.25.0 in Azure DevOps (with CycloneDX version 1.5) and trying to merge an SBOM from cdxgen (using version 10.1.0) from https://github.com/CycloneDX/cdxgen that contains "evidence", the JSON SBOM file contains the following:

    {
      "type": "library",
      "bom-ref": "pkg:npm/matchmedia()-polyfill@Test a CSS media type/query in JS. Authors \u0026 copyright (c) 2012: Scott Jehl, Paul Irish, Nicholas Zakas. Dual MIT/BSD license */",
      "group": "",
      "name": "matchmedia()-polyfill",
      "version": "Test a CSS media type/query in JS. Authors \u0026 copyright (c) 2012: Scott Jehl, Paul Irish, Nicholas Zakas. Dual MIT/BSD license */",
      "purl": "pkg:npm/matchmedia()-polyfill@Test%20a%20CSS%20media%20type%2Fquery%20in%20JS.%20Authors%20%26%20copyright%20(c)%202012:%20Scott%20Jehl%2C%20Paul%20Irish%2C%20Nicholas%20Zakas.%20Dual%20MIT%2FBSD%20license%20*%2F",
      "properties": [
        {
          "name": "SrcFile",
          "value": "xxxx/Scripts/respond.min.js"
        }
      ],
      "evidence": {
        "identity": {
          "field": "Purl",
          "confidence": 0.25,
          "methods": [
            {
              "technique": "filename",
              "confidence": 0.25,
              "value": "xxxx/Scripts/respond.min.js"
            }
          ]
        }
      }
    },

While it should be:

    {
      "type": "library",
      "bom-ref": "pkg:npm/matchmedia()-polyfill@Test a CSS media type/query in JS. Authors \u0026 copyright (c) 2012: Scott Jehl, Paul Irish, Nicholas Zakas. Dual MIT/BSD license */",
      "group": "",
      "name": "matchmedia()-polyfill",
      "version": "Test a CSS media type/query in JS. Authors \u0026 copyright (c) 2012: Scott Jehl, Paul Irish, Nicholas Zakas. Dual MIT/BSD license */",
      "purl": "pkg:npm/matchmedia()-polyfill@Test%20a%20CSS%20media%20type%2Fquery%20in%20JS.%20Authors%20%26%20copyright%20(c)%202012:%20Scott%20Jehl%2C%20Paul%20Irish%2C%20Nicholas%20Zakas.%20Dual%20MIT%2FBSD%20license%20*%2F",
      "properties": [
        {
          "name": "SrcFile",
          "value": "xxxx/Scripts/respond.min.js"
        }
      ],
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.25,
          "methods": [
            {
              "technique": "filename",
              "confidence": 0.25,
              "value": "xxxx/Scripts/respond.min.js"
            }
          ]
        }
      }
    },

When trying then to upload the SBOM to Dependency Track it fails with the following Error:

Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type org.cyclonedx.model.component.evidence.Identity$Field from String "Purl": not one of the values accepted for Enum class: [cpe, name, hash, swid, version, purl, group]

Can someone confirm this issue and could this then be fixed? I can also help if needed!

dominikdesmit avatar Feb 20 '24 13:02 dominikdesmit