cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Converting json SBOM to xml produces invalid SBOM when there is a component with multiple licenses

Open Taha-cmd opened this issue 1 year ago • 2 comments

I have an SBOM for a C# application generated by the dotnet cyclonedx tool. One the components has the following schema:

{
      "type": "library",
      "bom-ref": "pkg:nuget/[email protected]",
      "author": "Josh Close",
      "name": "CsvHelper",
      "version": "30.0.1",
      "description": "A library for reading and writing CSV files. Extremely fast, flexible, and easy to use. Supports reading and writing of custom class objects.",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "F02DE9AB8F3A99B5B6D83ABC0E8EEBBD65563512C3610CBDF4F433202075C342FCFE58245C3AB7735E328433E80F0D6379DBFD5FC5392DF27FDAA15182A438DA"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MS-PL"
          }
        },
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "copyright": "Copyright © 2009-2022 Josh Close",
      "purl": "pkg:nuget/[email protected]",
      "externalReferences": [
        {
          "url": "https://joshclose.github.io/CsvHelper/",
          "type": "website"
        },
        {
          "url": "https://github.com/JoshClose/CsvHelper",
          "type": "vcs"
        }
      ]
    }

When converting to SBOM to xml, the json component will be converted to:

    <component type="library" bom-ref="pkg:nuget/[email protected]">
      <author>Josh Close</author>
      <name>CsvHelper</name>
      <version>30.0.1</version>
      <description>A library for reading and writing CSV files. Extremely fast, flexible, and easy to use. Supports reading and writing of custom class objects.</description>
      <scope>required</scope>
      <hashes>
        <hash alg="SHA-512">F02DE9AB8F3A99B5B6D83ABC0E8EEBBD65563512C3610CBDF4F433202075C342FCFE58245C3AB7735E328433E80F0D6379DBFD5FC5392DF27FDAA15182A438DA</hash>
      </hashes>
      <licenses>
        <license>
          <id>MS-PL</id>
        </license>
      </licenses>
      <licenses>
        <license>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <copyright>Copyright © 2009-2022 Josh Close</copyright>
      <purl>pkg:nuget/[email protected]</purl>
      <externalReferences>
        <reference type="website">
          <url>https://joshclose.github.io/CsvHelper/</url>
        </reference>
        <reference type="vcs">
          <url>https://github.com/JoshClose/CsvHelper</url>
        </reference>
      </externalReferences>
    </component>

The xml component is invalid, because it contains a duplicated licenses node, instead of one licenses node with multiple license nodes inside it. The validate command points this out correctly: Validation failed at line number 362 and position 8: The element 'component' in namespace 'http://cyclonedx.org/schema/bom/1.5' has invalid child element 'licenses' in namespace 'http://cyclonedx.org/schema/bom/1.5'. List of possible elements expected: 'copyright, cpe, purl, swid, modified, pedigree, externalReferences, properties, components, evidence, releaseNotes, modelCard, data' in namespace 'http://cyclonedx.org/schema/bom/1.5' as well as any element in namespace '##other'.

Taha-cmd avatar Apr 08 '24 14:04 Taha-cmd

Might be fixed once https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/218 is merged and picked up by the cli.

andreas-hilti avatar May 18 '24 15:05 andreas-hilti

@andreas-hilti Thanks for the reference! The PR is open for more than a year without a reaction from the maintainers :(

Taha-cmd avatar May 22 '24 08:05 Taha-cmd

@Taha-cmd I think it should be fixed by the new release (0.26.0).

andreas-hilti avatar Aug 14 '24 19:08 andreas-hilti