Error validating CycloneDX format in version 1.6

[simonfrancaix]

Hello,

I think there are various errors when validating a CycloneDX format in version 1.6.

Requirements:

$ trivy --version
Version: 0.56.1
[...]
$ cyclonedx-cli --version
0.27.1+6c0e6c8f45d446ed4a28891040592e4ae4a39c3c

Steps for reproduction:

$ trivy image --format cyclonedx --output /tmp/playwright.json mcr.microsoft.com/playwright/java:v1.47.0-noble-amd64
2024-10-14T14:53:21+02:00	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-10-14T14:53:22+02:00	INFO	Detected OS	family="ubuntu" version="24.04"
2024-10-14T14:53:22+02:00	INFO	Number of language-specific files	num=1
$ cyclonedx-cli validate --input-file /tmp/playwright.json
Validation failed:
Value is "object" but should be "array"
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1
On instance: /metadata/tools:
[...]
Unable to validate against any JSON schemas.
BOM is not valid.

Analysis

Value is "object" but should be "array"
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1
On instance: /metadata/tools:
{
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.56.1"
        }
      ]
    }

tools array is deprecated. Tools is object now - https://cyclonedx.org/docs/1.6/json/#tab-pane_metadata_tools_oneOf_i0

Required properties ["id"] are not present
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/0
On instance: /components/510/licenses/0/license:
{
            "name": "GPL-3.0"
          }

License can be id or name - https://cyclonedx.org/docs/1.6/json/#tab-pane_components_items_licenses_oneOf_i0_items_license_oneOf_i1

Value should have at most 1 items
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1
On instance: /components/313/licenses:
[
        {
          "license": {
            "name": "BSD-3-Clause"
          }
        },
        {
          "license": {
            "name": "ISC"
          }
        },
        {
          "license": {
            "name": "GPL-3.0"
          }
        }
      ]

Licenses is array - why should it be one item? https://cyclonedx.org/docs/1.6/json/#components_items_licenses

Thank you for your attention to this ticket.

[andreas-hilti]

@simonfrancaix When I ran it, I had two instances of empty licenses

        {
          "license": {}
        },

which violate the specification as id or name is required. If I remove these two, it validates successfully. However, what I don't understand why the validation produces so many misleading/wrong error messages.

[andreas-hilti]

It seems to report also the oneof cases against which it could not validate, even though another case succeeded, e.g. the case 1 for tools (legacy tools), it can't validate http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1 against it, but it can perfectly fine validate against the case 0 (the new tools). Similarly, it can't in most cases validate against the LicenseChoice case 1 (license expression), but it can in most cases validate against the case 0 (licenses list).

[crimsonvspurple]

Hi @andreas-hilti I think this is a widespread issue that is also affecting v1.5 Can you take a look at this thread: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/579

[andreas-hilti]

@simonfrancaix @crimsonvspurple The number of (misleading) validation messages should be significantly reduced with release 0.27.2, and thus it should highlight the actual issue much better. Please give it a try.

[crimsonvspurple]

Result of 0.27.2: https://github.com/crimsonvspurple/sbom-test/blob/master/validation_result.txt

[erictolliverale]

I am seeing the same errors with cyclonedx-cli version 0.29.1+e7b6ea2ec2a95e705e8fa7a88ad5ac9dbfa7912d . Trivy version 0.65.0 generates 2 types of entries which cause cyclonedx-cli to fail on validate.

1. Empty license. (as reported above by @andreas-hilti ) { "license": {} },
2. Mix of expression and license in licenses. This should be accepted as some packages were created from code with different licenses or expression of licenses but do not provide a secondary layer SBOM. Using example "pkg:deb/debian/[email protected]?arch=all&distro=debian-13.0" (removing some entries). If the expression line is changed to be license/name it passes Cyclonedx-cli validate.
   "licenses": [ { "license": { "name": "MIT-X-Consortium" } }, { "expression": "GPL-3.0-or-later WITH Texinfo-exception" }, { "license": { "id": "GFDL-1.3-or-later" } } ],

[andreas-hilti]

2. Mix of expression and license in licenses.   This should be accepted as some packages were created from code with different licenses or expression of licenses but do not provide a secondary layer SBOM.  Using example "pkg:deb/debian/[email protected]?arch=all&distro=debian-13.0" (removing some entries).  If the expression line is changed to be license/name it passes Cyclonedx-cli validate.
   "licenses": [
   {
   "license": {
   "name": "MIT-X-Consortium"
   }
   },
   {
   "expression": "GPL-3.0-or-later WITH Texinfo-exception"
   },
   {
   "license": {
   "id": "GFDL-1.3-or-later"
   }
   }
   ],

@erictolliverale This violates the specification in its current form, given that https://cyclonedx.org/docs/1.6/json/#components_items_licenses requires licenses to be an array with

EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

If you think that this should be allowed, you will need to raise that in the specification repository. (There are several license issues open/being worked on.) I think the idea would be that if you use license expressions, you should include all licenses in a single expression and combine them using "AND".