pkg/formats/sniffer.go can't detect CycloneDX files if they are minified to one line

Question

pkg/formats/sniffer.go can't detect CycloneDX files if they are minified to one line

Closed this issue a year ago · 1 comments

As title, if I have a file like this

{"bomFormat":"CycloneDX","specVersion":"1.4","version":1,"serialNumber":"urn:uuid:b35ea91e-91c2-40ae-97fe-c015a4fd8790","metadata":{...

sniff() will not detect the format and SniffReader() will return "unknown SBOM format".

If I instead prettify the document so it start likes this

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "version": 1,
    "serialNumber": "urn:uuid:b35ea91e-91c2-40ae-97fe-c015a4fd8790",
    "moreKeys": {},
}

it works just fine. It would be good if minified JSON files worked too :)

Thanks for an excellent library!

Answer 1 · 2023-10-04T17:56:13.000Z

Thanks @sweoggy ! We were using some goofy string hacks to get the version previously. I just submitted a PR (#113) to use the json Unmarshaler instead for JSON-based SBOMs. I also added your minified.cdx.json to the test cases we will ensure work going forward. Will let you know when this PR gets reviewed and merged.