Generated bom is invalid

[crimsonvspurple]

In build:

            <plugin>
                <groupId>org.cyclonedx</groupId>
                <artifactId>cyclonedx-maven-plugin</artifactId>
                <version>2.8.1</version>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>makeAggregateBom</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

In deps:

        <dependency>
            <groupId>org.cyclonedx</groupId>
            <artifactId>cyclonedx-maven-plugin</artifactId>
            <version>2.8.1</version>
            <scope>provided</scope>
        </dependency>

makeAggregateBom:

[INFO] 
[INFO] -----------------------< com.compamy.software:app >------------------------
[INFO] Building app 1.0.1+0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- cyclonedx:2.8.1:makeAggregateBom (default-cli) @ app ---
[INFO] CycloneDX: Resolving Dependencies
[INFO] Artifact com.compamy.common:appx-common:pom:1.8 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadable from [sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases), apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), maven-default-http-blocker (http://0.0.0.0/, default, releases+snapshots, blocked), jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots, default, snapshots), lyo-releases (https://repo.eclipse.org/content/repositories/lyo-releases/, default, releases+snapshots), lyo-snapshots (https://repo.eclipse.org/content/repositories/lyo-snapshots/, default, releases+snapshots), apache-snapshots (https://repository.apache.org/content/groups/snapshots/, default, snapshots), jena-staging (https://repository.apache.org/content/repositories/orgapachejena-1052, default, releases), jboss (https://repository.jboss.org/nexus/content/groups/public, default, releases+snapshots), jvnet-nexus-releases (https://maven.java.net/content/repositories/releases/, default, releases)]
[INFO] Artifact com.compamy.common:appx-common:pom:1.8 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadable from [sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases), apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), maven-default-http-blocker (http://0.0.0.0/, default, releases+snapshots, blocked), jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots, default, snapshots), lyo-releases (https://repo.eclipse.org/content/repositories/lyo-releases/, default, releases+snapshots), lyo-snapshots (https://repo.eclipse.org/content/repositories/lyo-snapshots/, default, releases+snapshots), apache-snapshots (https://repository.apache.org/content/groups/snapshots/, default, snapshots), jena-staging (https://repository.apache.org/content/repositories/orgapachejena-1052, default, releases), jboss (https://repository.jboss.org/nexus/content/groups/public, default, releases+snapshots), jvnet-nexus-releases (https://maven.java.net/content/repositories/releases/, default, releases)]
[WARNING] Unable to create Maven project for com.compamy.common:appx-common:jar:1.8 from repository.
[INFO] CycloneDX: Creating BOM version 1.5 with 108 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): C:\Users\me\IdeaProjects\app\target\bom.xml
[INFO]            attaching as app-1.0.1+0-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): C:\Users\me\IdeaProjects\app\target\bom.json
[INFO]            attaching as app-1.0.1+0-cyclonedx.json
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.855 s
[INFO] Finished at: 2024-11-14T12:41:13+00:00
[INFO] ------------------------------------------------------------------------

cyclonedx-win-x64.exe validate --input-file bom.xml --input-version v1_5 --fail-on-errors

Validating XML BOM...
Validation failed at line number 2636 and position 443: The 'http://cyclonedx.org/schema/bom/1.5:url' element is invalid - The value 'https://github.com:networknt/json-schema-validator.git' is invalid according to its datatype 'Union' - The value 'https://github.com:networknt/json-schema-validator.git' is not valid according to any of the memberTypes of the union.
BOM is not valid.

cyclonedx-win-x64.exe validate --input-file bom.json --input-version v1_5 --fail-on-errors

Validating JSON BOM...
Validation failed:
Value is "object" but should be "array"
http://cyclonedx.org/schema/bom-1.5.schema.json#/properties/tools/oneOf/1
On instance: /metadata/tools:
{
      "components" : [
        {
          "author" : "OWASP Foundation",
...

Required properties ["name"] are not present
http://cyclonedx.org/schema/bom-1.5.schema.json#/properties/lifecycles/items/oneOf/1
On instance: /metadata/lifecycles/0:
{
        "phase" : "build"
      }
All values fail against the false schema
http://cyclonedx.org/schema/bom-1.5.schema.json#/properties/lifecycles/items/oneOf/1/additionalProperties
On instance: /metadata/lifecycles/0/phase:
build
Value should have at most 1 items
http://cyclonedx.org/schema/bom-1.5.schema.json#/oneOf/1
On instance: /components/9/licenses:
[
        {
          "license" : {
            "id" : "EPL-2.0"
          }
        },
        {
          "license" : {
            "name" : "GNU General Public License, version 2 with the GNU Classpath Exception",
            "url" : "https://www.gnu.org/software/classpath/license.html"
          }
        }
      ]
Value should have at most 1 items

and 100s of more validation fails.

Can someone tell me what am I doing wrong?

[hboutemy]

we need to share a reproducer to analyze together: do you have a basic project to simply build, for example on a personal GH Git repo? I don't have time to create a pom.xml from instructions, only build from an existing content

[crimsonvspurple]

does this help?
https://github.com/crimsonvspurple/sbom-test

[hboutemy]

yes, it helps: I can reproduce and look more in depth

1. first validation failure

cyclonedx-win-x64.exe validate --input-file bom.xml --input-version v1_5 --fail-on-errors

Validating XML BOM...
Validation failed at line number 2636 and position 443: The 'http://cyclonedx.org/schema/bom/1.5:url' element is invalid - The value 'https://github.com:networknt/json-schema-validator.git' is invalid according to its datatype 'Union' - The value 'https://github.com:networknt/json-schema-validator.git' is not valid according to any of the memberTypes of the union.
BOM is not valid.

looking at cited line number 2636 and position 443, I find <url>https://github.com:networknt/json-schema-validator.git</url>
the value is not a valid url (:networknt is interpreted as a port), that's a fact: it seems this component has an issue in its POMs
I did not know the CycloneDX schema could detect such invalid urls
or perhaps the message from cyclonedx-win-x64.exe validate about a "union" is misleading: it's not clear at all

but on this one, I would not say the generated SBOM is invalid

2. second validation failure

cyclonedx-win-x64.exe validate --input-file bom.json --input-version v1_5 --fail-on-errors

.... so many issues .reported ...

I started to read the issues reported and compared to what is in the json documentation https://cyclonedx.org/docs/1.5/json/#metadata_lifecycles_items_oneOf_i0_phase

all the issues I read from cyclonedx-win-x64.exe validate I disagree against what I read in the docs

My overall conclusion: cyclonedx-win-x64.exe validate is wrong or misleading on everything
I found no issues in the SBOMs generated, but issues in the validation tool

do you agree on that, when you read the validation output and look at the SBOMs that the tool read?

[crimsonvspurple]

I'll be honest here that I never had to deal with SBOM before as I was mostly dealing with saas. Now I'm dealing with a corporate b2b and suddenly this is important. But I do not have the necessary knowledge/experience to declare with certainty that the sbom is valid.
That's why i was trying to use cyclonedx validator in the first place.

To me, all the errors from the validator seems minor and some sort of implementation deviating slightly from the spec issue; either on maven plugin part or the validator part. Do you think I should raise an issue on validator's issue tracker?

btw, while i have your attention, can you tell me why the generated bom has jcip twice and the later one has licenses: [] (empty)?

[crimsonvspurple]

Since the schema and bom looks "fine" but the validator doesn't make any sense...

I tried the following:

• took this https://github.com/CycloneDX/specification/blob/1.6.1/schema/bom-1.5.schema.json
• then took the generated bom
• tried validating using https://jsonschema.dev/ and https://json-everything.net/json-schema/
  • seems like the schema doesn't work
• tried https://www.jsonschemavalidator.net/
  • schema works
  • validation works
  • if i remove metadata.tools.components.0.name, i get the expected error
  • adding it back removes the error

So without any deep sbom knowledge, from the simple json validation perspective, validator seems to be wrong, to me at least.

[andreas-hilti]

@crimsonvspurple Could you please also attach the json SBOM to your example?

My guess is that the root cause is at the same location as in the xml file:

Value does not match format "iri-reference"
http://cyclonedx.org/schema/bom-1.5.schema.json#/properties/url/anyOf/0
On instance: /components/98/externalReferences/3/url:
https://github.com:networknt/json-schema-validator.git

i.e. this is not a valid url.

I also only recently noticed that JsonSchema.Net (which is used by the cyclonedx-cli) generates very verbose validation messages. This is particularly true if you have conditional subschemas by the use of anyOf, oneOf, etc. Then, the cli currently reports the validation messages for all case distinctions, compare also:
CycloneDX/cyclonedx-cli#407
as well as
https://json-schema.org/blog/posts/interpreting-output
for some background information.

I have tried to prune out misleading validation message in this PR:
CycloneDX/cyclonedx-dotnet-library#367
and I would like to verify that it also improves your case a lot. (It might not be perfect, but should hopefully be much better/easier to understand).

In any case, the CycloneDX specification enforces that urls are iri-reference values, thus if you enter an invalid url this will result in an invalid BOM. I tend to think that it would be the responsibility of the BOM generator package to validate that it is a proper url and otherwise maybe skip it and issue a warning.
Independent of the number of validation messages, the cyclonedx-cli reports the overall validation status correctly, at least as far as I'm aware.

[crimsonvspurple]

@andreas-hilti I have updated the repo with bom and new results from 0.27.2 cli.

Validating JSON BOM...
Validation failed:
Value does not match format "iri-reference"
http://cyclonedx.org/schema/bom-1.5.schema.json#/properties/url/anyOf/0
On instance: /components/16/externalReferences/3/url:
https://github.com:networknt/json-schema-validator.git
Value does not match format "iri-reference"
http://cyclonedx.org/schema/bom-1.5.schema.json#/properties/url/anyOf/0
On instance: /components/17/externalReferences/2/url:
https://github.com:ethlo/itu
Value does not match format "iri-reference"
The string value is not a match for the indicated regular expression
http://cyclonedx.org/schema/bom-1.5.schema.json#/definitions/bomLinkDocumentType
On instance: /components/16/externalReferences/3/url:
https://github.com:networknt/json-schema-validator.git
Value does not match format "iri-reference"
The string value is not a match for the indicated regular expression
http://cyclonedx.org/schema/bom-1.5.schema.json#/definitions/bomLinkElementType
On instance: /components/16/externalReferences/3/url:
https://github.com:networknt/json-schema-validator.git
Value does not match format "iri-reference"
The string value is not a match for the indicated regular expression
http://cyclonedx.org/schema/bom-1.5.schema.json#/definitions/bomLinkDocumentType
On instance: /components/17/externalReferences/2/url:
https://github.com:ethlo/itu
Value does not match format "iri-reference"
The string value is not a match for the indicated regular expression
http://cyclonedx.org/schema/bom-1.5.schema.json#/definitions/bomLinkElementType
On instance: /components/17/externalReferences/2/url:
https://github.com:ethlo/itu
BOM is not valid.

The issue seems to be coming from here. Who do knock about a fix? Maven plugin to use project.url instead of project.scm.url? or json-schema-validator to update the pom?

[hboutemy]

external references extracted by the CycloneDX Maven Plugin from POM are described here: https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html

is the issue in the SBOM happening with website external reference, or vcs, or any other?

[hboutemy]

oh now I see: project.scm.url in project's pom.xml is invalid: the project should fix it

I see it has been done, probably as a consequence of the current discussion networknt/json-schema-validator#1131

thank you @rpoet-jh :)

[hboutemy]

notice that:

• validating the format of a url in the content and saying that BOM is not valid seems crude to me: is it possible for CLI to tell about different levels of validation?
• not having the same level of validation in different OWASP tools does not help: the java library used by CycloneDX Maven Plugin does some level of validation, I woul dhave expected a warning on such case

[crimsonvspurple]

So there were three issues:

1. Too many invalid errors: Fixed by hilti on cydx cli upstream
2. URI issue: Fixed by rpoet on json schema validator upstream
3. Empty license on jcip

@hboutemy can you please shed some light on this issue?
https://github.com/crimsonvspurple/sbom-test/blob/cce6d963c69d33d219eee459ddee8b784e42ce07/target/bom.json#L450

Really appreciate everyone being so helpful around here :)

[hboutemy]

on the empty license, it should first be improved at jcip level to have a real license listed

in parallel, perhaps you'll be interested in #573: I did not check how jcip defined their license in their pom, but it may solve the immediate issue

#573 has been merged, but release not yet done

[hboutemy]

2.9.1 release just done, you can test if it works around the issue in jcip pom

[crimsonvspurple]

Seems like there are two jcip packages, the original one from 2006 has no pom file at all.

I'll test and update you

[crimsonvspurple]

I did a test and didn't seem to help. I posted on #573

[crimsonvspurple]

Everything mentioned here seems to be fixed now. Thank you all.