Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] component.licenses not valid against schema in version 1.0 #151

Closed
madpah opened this issue Jan 27, 2022 · 2 comments · Fixed by #148
Closed

[BUG] component.licenses not valid against schema in version 1.0 #151

madpah opened this issue Jan 27, 2022 · 2 comments · Fixed by #148
Assignees
@madpah
Labels
bug Something isn't working schema 1.0
Milestone
2.0.0

Comments

@madpah
Copy link
Collaborator

madpah commented Jan 27, 2022

Example code to produce BOM:

bom = Bom(
        components=[Component(
            name='setuptools', version='50.3.2', bom_ref='pkg:pypi/setuptools@50.3.2?extension=tar.gz',
            purl=PackageURL(
                type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
            ), license_str='MIT License', author='Test Author'
        )]
    )

This attempts to produce XML for the Component as follows:

<component type="library" bom-ref="pkg:pypi/setuptools@50.3.2?extension=tar.gz">
            <name>setuptools</name>
            <version>50.3.2</version>
            <licenses>
                <expression>MIT License</expression>
            </licenses>
            <cpe>cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*</cpe>
            <purl>pkg:pypi/setuptools@50.3.2?extension=tar.gz</purl>
        </component>

.licenses.expression is not permissible in schema version 1.0.
@madpah madpah added bug Something isn't working schema 1.0 labels Jan 27, 2022
madpah added a commit that referenced this issue Jan 27, 2022
@madpah
test: refactored fixtures for tests which has uncovered #150, #151 and
df43a9b 
…#152

Signed-off-by: Paul Horton <phorton@sonatype.com>
@madpah madpah added this to the 1.4.0 milestone Jan 27, 2022
@madpah madpah mentioned this issue Jan 27, 2022
Merged
@jkowalleck
Copy link
Member

jkowalleck commented Jan 29, 2022
edited
Loading

@madpah the fix I would suggest: drop support for spec 1.0 :-)
spec 1.0 has a lot of missing elements, some assumptions that did not meat the real world ....

@madpah madpah self-assigned this Feb 2, 2022
@madpah madpah linked a pull request Feb 2, 2022 that will close this issue
RELEASE 2.0.0 #148
Merged
@madpah
Copy link
Collaborator Author

madpah commented Feb 2, 2022

Agree that at some point @jkowalleck we need to drop support for 1.0 and possibly other old schema versions.

Will raise a ticket to track this.

@madpah madpah mentioned this issue Feb 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@madpah madpah

Labels
bug Something isn't working schema 1.0
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

RELEASE 2.0.0 CycloneDX/cyclonedx-python-lib
2 participants
@jkowalleck @madpah