Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: identify CycloneDX JSON without $schema #2303

Merged
merged 1 commit into from
Nov 8, 2023
Merged

fix: identify CycloneDX JSON without $schema #2303

merged 1 commit into from
Nov 8, 2023

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Nov 8, 2023

This PR corrects an issue that identifying CycloneDX JSON documents was being too strict, requiring the $schema field be present. Whether this is required or not, Syft can be a bit more lax about parsing CycloneDX JSON and just look for the bomFormat and specVersion fields.

Fixes #2299

@kzantow
fix: identify cyclone-json without $schema
000e0ac 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow changed the title fix: identify cyclone-json without $schema fix: identify CycloneDX JSON without $schema Nov 8, 2023
@kzantow kzantow requested a review from a team November 8, 2023 15:11
wagoodman
wagoodman reviewed Nov 8, 2023
View reviewed changes
syft/format/cyclonedxjson/decoder.go
@@ -75,7 +74,7 @@ func (d decoder) Identify(reader io.ReadSeeker) (sbom.FormatID, string) {
return "", ""
}

id, version := getFormatInfo(doc.JSONSchema, doc.BOMFormat, doc.SpecVersion)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is json-schema optional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$schema is not valid for CycloneDX 1.2, at least: https://github.com/CycloneDX/specification/blob/1.2/schema/bom-1.2.schema.json

@kzantow kzantow merged commit d91c2dd into anchore:main Nov 8, 2023
10 checks passed
@kzantow kzantow deleted the fix/cyclonedx-identification branch November 8, 2023 16:54
@Porkepix Porkepix mentioned this pull request Nov 9, 2023
Merged
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@kzantow
fix: identify cyclone-json without $schema (anchore#2303)
8c93af4 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman left review comments

@willmurphyscode willmurphyscode willmurphyscode approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to identify CycloneDX JSON documents without $schema property
3 participants
@kzantow @wagoodman @willmurphyscode