Fix failing JSON BOM validation when specVersion is not one of the …

…first fields

Problem was that the search for `specVersion` was aborted upon encountering a `}` token. It should be `EOF` (or `null` in case of `JsonParser#nextToken`) instead.

Fixes DependencyTrack#3696

Signed-off-by: nscuro <nscuro@protonmail.com>

src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java

@@ -126,7 +126,7 @@ private CycloneDxSchema.Version detectSchemaVersionFromJson(final byte[] bomByte
             }
 
             CycloneDxSchema.Version schemaVersion = null;
-            while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
+            while (jsonParser.nextToken() != null) {
                 final String fieldName = jsonParser.getCurrentName();
                 if ("specVersion".equals(fieldName)) {
                     if (jsonParser.nextToken() == JsonToken.VALUE_STRING) {

src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java

@@ -22,6 +22,7 @@
 import org.junit.Test;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.assertj.core.api.Assertions.assertThatNoException;
 
 public class CycloneDxValidatorTest {
 
@@ -162,4 +163,17 @@ public void testValidateXmlWithInvalidComponentType() {
                                 valid with respect to its type, 'classification'.""");
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/3696
+    public void testValidateJsonWithSpecVersionAtTheBottom() {
+        assertThatNoException()
+                .isThrownBy(() -> validator.validate("""
+                        {
+                          "metadata": {},
+                          "components": [],
+                          "bomFormat": "CycloneDX",
+                          "specVersion": "1.5"
+                        }
+                        """.getBytes()));
+    }
+
 }