CycloneDX
Trailing zeros in fractional digits of timestamp fails validation.
JSON Timestamps in cyclone-dx use the date-time format:
"timestamp": {
"type": "string",
"format": "date-time",
"title": "Timestamp",
"description": "The timestamp in which the action occurred"
}
The date-time format is described here:
"date-time": Date and time together, for example, 2018-11-13T20:20:39+00:00
Using OWASP tools:
cyclonedx-win-x64.exe validate --input-file .\bom.json
Unable to validate against any JSON schemas.
BOM is not valid.
The BOM will validate using both tools if I remove the trailing zeros from the fractional digits in output manually:
E.g. going from:
2022-12-21T23:54:20.218381200Z
to
2022-12-21T23:54:20.2183812Z
The underlying problem here is that DateTime assumes that the format is ISO 8601:
https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/19ba261766f44d92699fce1973a5819a4294420c/cyclonedx-bom/src/external_models/date_time.rs#L49
However, for JSON schema, the format is actually RFC 3339 which is a constrained subset of ISO 8601.
~~We'll probably want to keep DateTime in a neutral format in the models and then use custom serialization for serde and do conversion to ISO 8601 in the XML writer.~~ After looking at the code, the simplest solution is probably to parse ISO 8601, but emit RFC 3339. This emits something conservative that works with both XML and JSON, but parses either. The only consequence of this is that JSON won't strictly validate, but that's the case currently anyway.
If you agree, let me know and I'll try a PR.
Thanks for binging this up and sorry for the slow response. I can verify that the validation fails indeed. But having read RFC 3339 I don't see anything in there that limits the amount of fractional digits.
So, I believe that the JSON we produce is actually correct and some tools don't support RFC3339 fully. I might be mistaken though.
It seems as if we want to fix the validator instead?
For reference, here's what I did:
❯ cyclonedx-linux-x64 validate --input-file bom.json --input-version v1_4
Validating JSON BOM...
Validation failed: Value does not match format "date-time"
#/properties/metadata/$ref/properties/timestamp/format
On instance: #/metadata/timestamp:
2023-10-31T20:40:25.785466440Z
BOM is not valid.
This is version 0.25
I have started a discussion in the CycloneDX Slack and I'll see if there are any results. If not I'll close this issue as I'm relatively sure that this is not a bug here.
I opened an issue in the .NET library which is used by the CLI. I'm going to close this issue as our JSON documents do indeed seem to be valid.
If you find any other validators that fail please let me know, I'm happy to reach out upstream and try to get them fixed as well.
Thanks for looking into this @lfrancke. It's been long enough that I don't remember how deep I went into RFC 3339 looking at formatting rules.
Entirely possible the validation is too strict.
I looked into it again and technically we are doing something wrong I believe. We use ISO 8601 when we should be using RFC 3339. I'll reopen this issue for now but we should probably open a new issue. Just so I don't forget.