cyclonedx-core-java icon indicating copy to clipboard operation
cyclonedx-core-java copied to clipboard
verified publisher icon CycloneDX

[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword

Open hboutemy opened this issue 2 years ago • 13 comments

warning that appears in cyclone-dx-maven plugin when validating the json SBOM that just has been generated: see https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/305

it seems this is a problem when parsing the json schema https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/bom-1.4.schema.json

hboutemy avatar Mar 30 '23 06:03 hboutemy

Any means to circumvent this problem?

eero-vaarnas avatar Jun 13 '23 12:06 eero-vaarnas

Likely caused by minor technical defects in prior schemas. These warnings can simply be ignored. I believe we have eliminated these issues in v1.5

stevespringett avatar Jun 13 '23 14:06 stevespringett

Likely caused by minor technical defects in prior schemas. These warnings can simply be ignored. I believe we have eliminated these issues in v1.5

It stills occures with current core version (7.3.2 used by Maven CycloneDX-Plugin 2.7.9, released May 2023). So it was not fixed in 7.1.5 :/

Bukama avatar Aug 16 '23 07:08 Bukama

@Bukama we never said it was fixed in cyclonedx-core-java. What was said was that we have fixed the issue in v1.5 of the CycloneDX schema. We have yet to release a version of cyclonedx-core-java that supports the v1.5 schema, but we're close to doing so. The next point release will include support for the v1.5 schema, so generating BOMs with that schema should not yield any warnings, however generating BOMs targeting CycloneDX v1.4 will continue to generate the warnings (as expected).

stevespringett avatar Aug 16 '23 19:08 stevespringett

@Bukama we never said it was fixed in cyclonedx-core-java. What was said was that we have fixed the issue in v1.5 of the CycloneDX schema. We have yet to release a version of cyclonedx-core-java that supports the v1.5 schema, but we're close to doing so. The next point release will include support for the v1.5 schema, so generating BOMs with that schema should not yield any warnings, however generating BOMs targeting CycloneDX v1.4 will continue to generate the warnings (as expected).

Thanks for the clarification. I understood your comment as a reference to the 7.1.5 version, my bad!

Bukama avatar Aug 17 '23 14:08 Bukama

Hi, still happens in maven plugin 2.7.11 with core 8.0.3. Any hope we can get it fixed soon?

rmannibucau avatar Feb 18 '24 09:02 rmannibucau

@rmannibucau maven plugin 2.7.11 does not use core 8 but 7: maven 2.8 will use code 8, currently available as SNAPSHOT only

hboutemy avatar Feb 18 '24 16:02 hboutemy

Thanks @hboutemy , I can confirm there is no more warning with the snapshot. Any release date?

rmannibucau avatar Feb 18 '24 16:02 rmannibucau

it should come soon, a few improvements to add before

hboutemy avatar Feb 18 '24 17:02 hboutemy

Is there a status update available please?

garydgregory avatar Oct 13 '24 13:10 garydgregory