Enhancement: more information about schema errors

[esnible]

I tried sbom-utility against https://github.com/chainguard-dev/bom-shelter/blob/main/in-the-wild/cyclonedx/obsidian-sailboat-sbom-cdx.json . 407 errors were found, here is the first one:

	1. Type: [number_one_of], Field: [components.0.licenses.0.license], Description: [Must validate one and only one schema (oneOf)] 
	Failing object: [{
	  "url": "https://github.com/AngleSharp/AngleSharp/blob/master/LICENSE"
	}]

First question. sbom-utility logged Schema "schema/cyclonedx/1.2/bom-1.2.schema.json" loaded. but the error seems to be coming from validation in resources/schema/cyclonedx/1.2/bom-1.2-strict.schema.json, not resources/schema/cyclonedx/1.2/bom-1.2.schema.json.

The failing validation is

            "oneOf":[
              {
                "required": ["license"]
              },
              {
                "required": ["expression"]
              }

The failing component has

      "licenses": [
        {
          "license": {
            "url": "https://github.com/AngleSharp/AngleSharp/blob/master/LICENSE"
          }
        }
      ],

It isn't clear to me what is wrong with this license. In this case I could tell from the URL which fragment was the problem but I would like to see the JSON Path, e.g. to component. I would also like to see the more details of the failed validation. At first glance I see a license.

Type: [number_one_of], Field: [components.0.licenses.0.license], Description: [Must validate one and only one schema (oneOf)] No "license", no "expression"
Failing object components[0]/license[0] : [{
"url": "https://github.com/AngleSharp/AngleSharp/blob/master/LICENSE"
}]

[esnible]

Second example. I ran this on an SBOM with 9928 components. There were duplicate components.

	1. Type: [unique], Field: [components], Description: [array items[3,243] must be unique] 
	Failing object: [[
	  {
	    "name": "acl",
	    "publisher": "Guillem Jover <guillem@ ... (truncated)

The message is correct, components[3] and components[243] were duplicates. However, the "failing object" is truncated to show components[0]. But it wasn't related to the message. It would be much easier to read the message if the message showed components[3] instead of components[0].

[mrutkows]

Hi @esnible, Let me try and respond to your comments...

the error seems to be coming from validation in resources/schema/cyclonedx/1.2/bom-1.2-strict.schema.json, not resources/schema/cyclonedx/1.2/bom-1.2.schema.json.

The non-strict CDX v1.2 JSON schema does enforce the "OneOf" constraint for "license" (not just in strict):

• https://github.com/CycloneDX/specification/blob/21314a9e70937670fd892a29d9ffb6625a46c88b/schema/bom-1.2.schema.json#L349

In fact, the "strict" schema, if a "diff" is performed, typically only adds the "additionalProperties": false, property to almost every type definition (which prevents any non-standard fields).

---

The message is correct, components[3] and components[243] were duplicates. However, the "failing object" is truncated to show components[0]. But it wasn't related to the message. It would be much easier to read the message if the message showed components[3] instead of components[0].

Unfortunately, the schema error results processing code only reports at the granularity of the owning object, in this case an array. In this case, it is enforcing a "uniqueness" constraint within the entirety of the array.

If you would like to add special logic as a pull request to look for this specific error case (i.e., array uniqueness) and post-process the error results to reduce the result set reported (as you likely did manually after using debug option) I would welcome that.

Otherwise, please update the title to limit the request to that specific enhancement (and ack. that the "v1.2" / strict issue) is not the enhancement being requested...

If you do submit a PR, please reference this issue.

[mrutkows]

@esnible I was wondering why your tooling was still using an outdated version of the .NET tool:

"tools": [{
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "1.6.1.0"
      }

which was from June 27, 2021 (https://github.com/CycloneDX/cyclonedx-dotnet/releases/tag/v1.6.1).

as I see that the latest version is 2.7:

• https://github.com/CycloneDX/cyclonedx-dotnet/releases/tag/v2.7.0

I would imagine that the newer version would support v1.3 at the very least, but expect it to support v1.4 which has been out for some time and v1.5 will be released GA in a few weeks.

[mrutkows]

BTW, I almost missed your last question...

It isn't clear to me what is wrong with this license:

"licenses": [
        {
          "license": {
            "url": "https://github.com/AngleSharp/AngleSharp/blob/master/LICENSE"
          }
        }
      ],

The answer is simple looking at the schema for "license":

"license": {
      "type": "object",
      "title": "License Object",
      "oneOf": [
        {
          "required": ["id"]
        },
        {
          "required": ["name"]
        }
      ],

you need to provide one of the required fields... either id or name (as url is an optional field). Preferably you would supply an id which would be an actual SPDX ID (identifier).

[mrutkows]

@esnible I may ask you to close this issue and then create a new one solely for the "enhancement" to the "array error result processing" so that when a developer works on it, it is disentangled from the other questions/issues surfaced here.

Would that be possible? You can ref. this issue for history...

[esnible]

@esnible I was wondering why your tooling was still using an outdated version of the .NET tool:

I created this issue after I received a proprietary SBOM with 37562 components, but only 5812 unique components. I couldn't attach the proprietary SBOM, but saw a similar error in the public github.com/chainguard-dev/bom-shelter repo. I am not using the old tooling myself.

It might be better if you created the "array result processing enhancement" Issue. I know what I want to see but I don't know how to express it within the schema validation terminology.

When I see a message saying I have "64440 errors" in my SBOM, my wish is that "having duplicates" would be displayed as one error, not as a unique error for every duplicate pair. The large number of duplicate pair errors make it hard to see if any other errors besides duplication are present.

[mrutkows]

@esnible I understand your intent and will try to open a new issue and ref. this one... however, this will require IMO a new "special processing" path (with new flags to enable/disable) and require some considered thought to only collapse/condense when it can be certain they are the same error. However, having this many errors (esp. duplicates is NOT normal).

In any event, the tool developer should not be producing duplicates (invalid SBOMs) and hopefully you are opening an issue against them as they are clearly not validating their output at all!

[mrutkows]

Saved the enhancement request in a separate issue #37