Jfrog's Xray generated SBOM not passing Chainloop CycloneDX 1.6 schema validation #2514
Description
We are experienc issues trying to add a SBOM generated by Jfrogs XRAY. The SBOM (CycloneDX 1.6) contains a duplicated component entry and a null cwes array. Both are illegal and won't validate against CycloneDX schema nor the online validator (https://cyclonedx.github.io/cyclonedx-web-tool/validate).
❯ chainloop attestation add --value ~/Downloads/Docker_806fa3e_SBOM_Export_CycloneDX.json --kind SBOM_CYCLONEDX_JSON --debug
DBG using config file path="/Users/javirln/Library/Application Support/chainloop/config.devel.toml"
DBG using local state path=file:/var/folders/ct/h8h0pjcd6q180cnxqhykjv3c0000gn/T/chainloop-attestation.tmp.json
DBG loading state state=file:///var/folders/ct/h8h0pjcd6q180cnxqhykjv3c0000gn/T/chainloop-attestation.tmp.json
DBG loaded state state=file:///var/folders/ct/h8h0pjcd6q180cnxqhykjv3c0000gn/T/chainloop-attestation.tmp.json
DBG error decoding file: [I#] [S#] doesn't validate with http://cyclonedx.org/schema/bom-1.6.schema.json#
[I#/components] [S#/properties/components/uniqueItems] items at index 403 and 404 are equal
[I#/vulnerabilities] [S#/properties/vulnerabilities]
[I#/vulnerabilities/33] [S#/properties/vulnerabilities/items/$ref] doesn't validate with '/definitions/vulnerability'
[I#/vulnerabilities/33/cwes] [S#/definitions/vulnerability/properties/cwes/type] expected array, but got null
[I#/vulnerabilities/102] [S#/properties/vulnerabilities/items/$ref] doesn't validate with '/definitions/vulnerability'
[I#/vulnerabilities/102/cwes] [S#/definitions/vulnerability/properties/cwes/type] expected array, but got null error="jsonschema: '/components' does not validate with http://cyclonedx.org/schema/bom-1.6.schema.json#/properties/components/uniqueItems: items at index 403 and 404 are equal"
ERR adding material: crafting material: invalid cyclonedx sbom file: unexpected material type
Checking the repeated component:
total_components: 1073
--- index 403 ---
bom-ref: pkg:generic/jrt-fs.jar
name: jrt-fs.jar
version: None
purl: pkg:generic/jrt-fs.jar
full:
{
"bom-ref": "pkg:generic/jrt-fs.jar",
"type": "application",
"name": "jrt-fs.jar",
"licenses": [],
"purl": "pkg:generic/jrt-fs.jar"
}
--- index 404 ---
bom-ref: pkg:generic/jrt-fs.jar
name: jrt-fs.jar
version: None
purl: pkg:generic/jrt-fs.jar
full:
{
"bom-ref": "pkg:generic/jrt-fs.jar",
"type": "application",
"name": "jrt-fs.jar",
"licenses": [],
"purl": "pkg:generic/jrt-fs.jar"
}
While this is wrong from a strict schema perspective, it doesn't represent a functional issue for Chainloop. Chainloop's mission is to gather and securely store all the evidence generated in the SSDL. The fact that there is a repeated component won't break any of the Chainloop features, and I'm not sure if it's Chainloop the one that should do such validation. Recognizing and discovering the format is still a valuable feature tough.
My suggestion is to consider relaxing the validation of material schemas, or otherwise improve the error messages (unexpected material type is not accurate in this case) and give users a hint about why it didn't pass.