Error validating CycloneDX format in version 1.6

[simonfrancaix]

Hello,

I think there are various errors when validating a CycloneDX format in version 1.6.

Requirements:

$ trivy --version
Version: 0.56.1
[...]
$ cyclonedx-cli --version
0.27.1+6c0e6c8f45d446ed4a28891040592e4ae4a39c3c

Steps for reproduction:

$ trivy image --format cyclonedx --output /tmp/playwright.json mcr.microsoft.com/playwright/java:v1.47.0-noble-amd64
2024-10-14T14:53:21+02:00	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-10-14T14:53:22+02:00	INFO	Detected OS	family="ubuntu" version="24.04"
2024-10-14T14:53:22+02:00	INFO	Number of language-specific files	num=1
$ cyclonedx-cli validate --input-file /tmp/playwright.json
Validation failed:
Value is "object" but should be "array"
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1
On instance: /metadata/tools:
[...]
Unable to validate against any JSON schemas.
BOM is not valid.

Analysis

Value is "object" but should be "array"
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1
On instance: /metadata/tools:
{
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.56.1"
        }
      ]
    }

tools array is deprecated. Tools is object now - https://cyclonedx.org/docs/1.6/json/#tab-pane_metadata_tools_oneOf_i0

Required properties ["id"] are not present
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/0
On instance: /components/510/licenses/0/license:
{
            "name": "GPL-3.0"
          }

License can be id or name - https://cyclonedx.org/docs/1.6/json/#tab-pane_components_items_licenses_oneOf_i0_items_license_oneOf_i1

Value should have at most 1 items
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1
On instance: /components/313/licenses:
[
        {
          "license": {
            "name": "BSD-3-Clause"
          }
        },
        {
          "license": {
            "name": "ISC"
          }
        },
        {
          "license": {
            "name": "GPL-3.0"
          }
        }
      ]

Licenses is array - why should it be one item? https://cyclonedx.org/docs/1.6/json/#components_items_licenses

Thank you for your attention to this ticket.

[andreas-hilti]

@simonfrancaix When I ran it, I had two instances of empty licenses

        {
          "license": {}
        },

which violate the specification as id or name is required. If I remove these two, it validates successfully.
However, what I don't understand why the validation produces so many misleading/wrong error messages.

[andreas-hilti]

It seems to report also the oneof cases against which it could not validate, even though another case succeeded, e.g.
the case 1 for tools (legacy tools), it can't validate
http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/tools/oneOf/1
against it, but it can perfectly fine validate against the case 0 (the new tools).
Similarly, it can't in most cases validate against the LicenseChoice case 1 (license expression), but it can in most cases validate against the case 0 (licenses list).

[crimsonvspurple]

Hi @andreas-hilti
I think this is a widespread issue that is also affecting v1.5
Can you take a look at this thread: CycloneDX/cyclonedx-maven-plugin#579

[andreas-hilti]

@simonfrancaix @crimsonvspurple The number of (misleading) validation messages should be significantly reduced with release 0.27.2, and thus it should highlight the actual issue much better. Please give it a try.

[crimsonvspurple]

Result of 0.27.2: https://github.com/crimsonvspurple/sbom-test/blob/master/validation_result.txt