VDR Generated by Library doesn't pass validation #659

Scanteianu · 2024-07-29T18:48:16Z

Scanteianu
Jul 29, 2024

Hello,

I use this library to generate a Vulnerability Disclosure Report for Adoptium Temurin (OpenJDK Build): https://github.com/adoptium/temurin-vdr-generator/blob/main/cvereporter/report.py
As an example, see https://github.com/adoptium/temurin-vdr-generator/actions/runs/9914996771
However, it doesn't pass validation on https://cyclonedx.github.io/cyclonedx-web-tool/convert which I'm guessing is powered by https://github.com/CycloneDX/sbom-utility

It would be nice if the library could somehow prevent me from generating an invalid sbom.

Errors from running the utility locally include:

Welcome to the sbom-utility! Version `v0.16.0` (sbom-utility) (windows/amd64)
=============================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `vdr.json`...
[INFO] Successfully unmarshalled data from: `vdr.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Loading schema `schema/cyclonedx/1.4/bom-1.4.schema.json`...
[INFO] Schema `schema/cyclonedx/1.4/bom-1.4.schema.json` loaded.
[INFO] Validating `vdr.json`...
[INFO] BOM valid against JSON schema: `false`
[INFO] (1157) schema errors detected.
[INFO] Formatting error results (`txt` format)...
[INFO] Too many errors. Showing (10/1157) errors.
1. {
        "type": "invalid_type",
        "field": "metadata.component.supplier",
        "context": "(root).metadata.component.supplier",
        "description": "Invalid type. Expected: object, given: string",
        "value": "Eclipse foundation"
    }
2. {
        "type": "invalid_type",
        "field": "vulnerabilities.0.ratings.0.score",
        "context": "(root).vulnerabilities.0.ratings.0.score",
        "description": "Invalid type. Expected: number, given: string",
        "value": "7.5"
    }
3. {
        "type": "invalid_type",
        "field": "vulnerabilities.0.ratings.1.source",
        "context": "(root).vulnerabilities.0.ratings.1.source",
        "description": "Invalid type. Expected: object, given: string",
        "value": "https://openjdk.org/groups/vulnerability/advisories/2019-04-16"
    }
4. {
        "type": "invalid_type",
        "field": "vulnerabilities.0.ratings.1.score",
        "context": "(root).vulnerabilities.0.ratings.1.score",
        "description": "Invalid type. Expected: number, given: string",
        "value": "7.5"
    }
5. {
        "type": "number_one_of",
        "field": "vulnerabilities.0.affects.0.versions.0",
        "context": "(root).vulnerabilities.0.affects.0.versions.0",
        "description": "Must validate one and only one schema (oneOf)",
        "value": "11.0.2"
    }
6. {
        "type": "number_one_of",
        "field": "vulnerabilities.0.affects.0.versions.1",
        "context": "(root).vulnerabilities.0.affects.0.versions.1",
        "description": "Must validate one and only one schema (oneOf)",
        "value": "12"
    }
7. {
        "type": "number_one_of",
        "field": "vulnerabilities.0.affects.0.versions.2",
        "context": "(root).vulnerabilities.0.affects.0.versions.2",
        "description": "Must validate one and only one schema (oneOf)",
        "value": "7u211"
    }
8. {
        "type": "number_one_of",
        "field": "vulnerabilities.0.affects.0.versions.3",
        "context": "(root).vulnerabilities.0.affects.0.versions.3",
        "description": "Must validate one and only one schema (oneOf)",
        "value": "8u202"
    }
9. {
        "type": "invalid_type",
        "field": "vulnerabilities.1.ratings.0.score",
        "context": "(root).vulnerabilities.1.ratings.0.score",
        "description": "Invalid type. Expected: number, given: string",
        "value": "5.9"
    }
10. {
        "type": "invalid_type",
        "field": "vulnerabilities.1.ratings.1.source",
        "context": "(root).vulnerabilities.1.ratings.1.source",
        "description": "Invalid type. Expected: object, given: string",
        "value": "https://openjdk.org/groups/vulnerability/advisories/2019-04-16"
    }
[ERROR] invalid SBOM: schema errors found (vdr.json)
[INFO] document `vdr.json`: valid=[false]

jkowalleck · 2024-08-07T14:43:00Z

jkowalleck
Aug 7, 2024
Maintainer

this library provides validation capabilities.
see the example:

cyclonedx-python-lib/examples/complex_serialize.py

Lines 85 to 93 in 83b54aa

    
           my_json_validator = JsonStrictValidator(SchemaVersion.V1_6) 
        
           try: 
        
               validation_errors = my_json_validator.validate_str(serialized_json) 
        
               if validation_errors: 
        
                   print('JSON invalid', 'ValidationError:', repr(validation_errors), sep='\n', file=sys.stderr) 
        
                   sys.exit(2) 
        
               print('JSON valid') 
        
           except MissingOptionalDependencyException as error: 
        
               print('JSON-validation was skipped due to', error)