Validation of newly generated BOM files fails

Question

Validation of newly generated BOM files fails

ognyandim opened this issue 2 years ago · 2 comments

ognyandim commented 2 years ago

Context

Windows 10

Cyclone versions:

NPM Version: @cyclonedx/cyclonedx-npm@1.7.2 of CycloneDX for NPM
.NET Version: 2.7.0 of CycloneDX for .NET

IDEs

VS 2022
VS Code

npm version 9.2.0
node version 18.12.1

Actions

Generating NPM and .NET BOMs from the latest boilerplate project on https://aspnetboilerplate.com as is - unpack, restore packages and run the BOM generation as described below

// for the NPM BOM
cyclonedx-npm --output-format "JSON" --output-file "bom.json" 

// for the .NET BOM
dotnet-CycloneDX .\FMS.sln -o ./
dotnet-CycloneDX .\FMS.sln -o ./ -j

The generation is ok.

Validation
To validate the generated BOMs I am using the hosted version : https://cyclonedx.github.io/cyclonedx-web-tool

The validation tools returns errors on both BOMs

Results

From both validations I get alert : The file is not a valid v1.4 BOM.

From the NPM BOM validation I get :
'<' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.

From the .NET BOMs in JSON validation I get:
"Validation failed: #/properties/components/items"

From the .NET BOMs in XML validation I get:
Validation failed at line number 373 and position 28: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'NOASSERTION' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed.

The resulting BOMs are attached.

BOMs.zip

Answer 1 · 2023-01-06T23:46:32.000Z

Can you attach the XML BOMs as well. The ZIP only has the JSON one.

Answer 2 · 2023-01-11T12:20:17.000Z

Hello @stevespringett and thanks for the quick reply.
Here there are:
.net.bom.json.zip
.net.bom.xml.zip
npm.bom.json.zip