cyclonedx convert causes cyclonedx validate to fail

[tmuehlbacher]

I am post-processing an SBOM using jq and hence have to then use
cyclonedx convert to get a "valid" SBOM again that has not just Unicode but
also "special" characters (e.g. &, <, >) escaped since certain tools
require this at least for CycloneDX v1.4 and v1.5.

The resulting file does not validate anymore.

I am using the cyclonedx build from nixpkgs.

$ cyclonedx --version
0.25.0
$ nixos-version
24.11.20240730.3a695d1 (Vicuna)

Steps to reproduce

• Create a simple valid SBOM file

• Check that it validates

• Use cyclonedx convert to normalize the SBOM

• Try to validate again

$ syft scan -o [email protected]=sbom.cdx.json alpine:latest
$ cat sbom.cdx.json | cyclonedx validate --input-format json --input-version v1_5
Validating JSON BOM...
BOM validated successfully.
$ cat sbom.cdx.json | cyclonedx convert --{input,output}-format=json --output-version=v1_5 | cyclonedx validate --input-format json --input-version v1_5
Validating JSON BOM...
Validation failed: Value does not match format "date-time"
#/properties/metadata/$ref/properties/timestamp/format
On instance: #/metadata/timestamp:
2024-07-31T17.40.47Z
BOM is not valid.

Here is the structural diff that cyclonedx convert causes:

$ diff -u <(jq -S . sbom.cdx.json) <(cyclonedx convert --{input,output}-format=json --output-version=v1_5 < sbom.cdx.json | jq -S .)
--- /dev/fd/63	2024-07-31 19:56:21.190104613 +0200
+++ /dev/fd/62	2024-07-31 19:56:21.191104604 +0200
@@ -1,5 +1,4 @@
 {
-  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "components": [
     {
@@ -1334,7 +1333,9 @@
       ],
       "swid": {
         "name": "alpine",
+        "patch": false,
         "tagId": "alpine",
+        "tagVersion": 0,
         "version": "3.20.2"
       },
       "type": "operating-system",
@@ -1419,7 +1420,7 @@
       "type": "container",
       "version": "sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78"
     },
-    "timestamp": "2024-07-31T19:40:47+02:00",
+    "timestamp": "2024-07-31T17.40.47Z",
     "tools": {
       "components": [
         {

The timestamp is for some reason getting mangled.

[andreas-hilti]

@tmuehlbacher I tried to reproduce your issue, but for me the resulting BOM validated correctly. However, for me the produced time-stamp was in the format "2024-08-01T08:11:45Z", note the ":" as separators, not "." as in your case.

If you use the latest version of the application (i.e. 0.25.1), does this change anything? (I doubt it, though.)

That the time is converted to UTC is intended:
https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/d8057d3a06179d5bc6c97ff7fddbab45e6da06d6/src/CycloneDX.Core/Models/Metadata.cs#L36
(not sure about the motivation though).

What surprises me is that in your case the format is "yyyy-MM-ddTHH.mm.ssZ", given the explicit specification of "yyyy-MM-ddTHH:mm:ssZ" here:
https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/d8057d3a06179d5bc6c97ff7fddbab45e6da06d6/src/CycloneDX.Core/Json/Converters/DateTimeConverter.cs#L54
However, as I discovered right now ":" is interpreted as time separator (and not just as a colon):
https://learn.microsoft.com/en-us/dotnet/standard/base-types/custom-date-and-time-format-strings
i.e. it depends what is defined as time separator in the system settings. We probably have to specify CultureInfo.InvariantCulture here.

[tmuehlbacher]

The locale does appear to be the problem, not sure why the format specified for `ToString` is not respected here. `env -i` or changing `LANG=en_DK.UTF-8` to en_US or de_DE makes the timestamp format correctly for me.