feat: load XML with `##other` elements and `##any` attributes

[makew0rld]

Signed BOM XML (valid)

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:0440a166-963d-46c1-82ca-1b512779a032" xmlns="http://cyclonedx.org/schema/bom/1.6">
  <metadata>
    <timestamp>2025-07-10T20:21:08.835916Z</timestamp>
    <tools>
      <components>
        <component type="application">
          <name>CycloneDX CLI</name>
          <version>0.28.2.0</version>
        </component>
      </components>
    </tools>
  </metadata>
  <components>
    <component type="file">
      <name>public.key</name>
      <version>0.0.0-a17c1d295517</version>
      <hashes>
        <hash alg="SHA-1">a17c1d2955174397d8429bd7d10fa3125a891b5c</hash>
        <hash alg="SHA-256">12ee903e2f3d2a4a93256d0e54d0998a52c8834bd46f9cf610a33b05a22d7d71</hash>
        <hash alg="SHA-384">8a6b8506eba1b29dcd073e5b30320e15988735d9927bbd38af5cb164ab0403965c3206013327af3556b1859c115173f7</hash>
        <hash alg="SHA-512">28bf538a03fbeee3f965d74d68116b5edf3ce6fce9ac4d581a8116bfc6e9cf094137e858c121e029e344046f9b3846d0bb1b4bb22b81a1956f73fbd14dfa1356</hash>
      </hashes>
    </component>
    <component type="file">
      <name>private.key</name>
      <version>0.0.0-4e2c53f9fb8b</version>
      <hashes>
        <hash alg="SHA-1">4e2c53f9fb8b08e8a47bbe8a4e5291648254d71c</hash>
        <hash alg="SHA-256">a0e728792d1efaaaa93304f30f9046a9df8db5875e7072fd9892cf7672ca56f9</hash>
        <hash alg="SHA-384">debb87d4f4fb65121fdcecde8ac58121c891c862bda0f40871e271d7b212b8940907335ea43daacbb64893783c3249c5</hash>
        <hash alg="SHA-512">5313a19fea8eb5750f3261fb0e48e356808250d2567696d900b19a55b9e4495c98d8846a8a01c0cd11ba204d3b1c5549da6093ec64dbdeed263bdd9ebdec9d55</hash>
      </hashes>
    </component>
    <component type="file">
      <name>bom_unsigned.xml</name>
      <version>0.0.0-da39a3ee5e6b</version>
      <hashes>
        <hash alg="SHA-1">da39a3ee5e6b4b0d3255bfef95601890afd80709</hash>
        <hash alg="SHA-256">e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</hash>
        <hash alg="SHA-384">38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b</hash>
        <hash alg="SHA-512">cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e</hash>
      </hashes>
    </component>
    <component type="file">
      <name>example.txt</name>
      <version>0.0.0-22596363b3de</version>
      <hashes>
        <hash alg="SHA-1">22596363b3de40b06f981fb85d82312e8c0ed511</hash>
        <hash alg="SHA-256">a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447</hash>
        <hash alg="SHA-384">6b3b69ff0a404f28d75e98a066d3fc64fffd9940870cc68bece28545b9a75086b343d7a1366838083e4b8f3ca6fd3c80</hash>
        <hash alg="SHA-512">db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593</hash>
      </hashes>
    </component>
    <component type="file">
      <name>example2.txt</name>
      <version>0.0.0-d53a205a336e</version>
      <hashes>
        <hash alg="SHA-1">d53a205a336e07cf9eac45471b3870f9489288ec</hash>
        <hash alg="SHA-256">1f2ec52b774368781bed1d1fb140a92e0eb6348090619c9291f9a5a3c8e8d151</hash>
        <hash alg="SHA-384">92199e1e9f19bc582673f7a016cff06e106dabf32931feeb47f112a01f5efbfb3e81e98a46b0d28e5952dcce0cdfcb0f</hash>
        <hash alg="SHA-512">98a28206f2dc7a9c29bdbed20d0c883d116f095ed12d58123f6fd5e6b0d43d72de208438d93e6e444bfb073555addba2fbed59c8b41a1d09d3fd9e8843974e97</hash>
      </hashes>
    </component>
  </components>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>tSHVo7UgCxvvmFusf+2UzjhxXa2PyvLHaIvyNlB/yp8=</DigestValue></Reference></SignedInfo><SignatureValue>gep3n58O7GLUk/jwmOda8HlwkiqA40CRhJYgoJbMJ6xZphfn7s/JHDByeptXvbolB6nVw5qAQ/mKCAkh0x7NGzWwSWypmpysK3zuUZuMihTSizd+kclwCJYamQ0l4Lqqp13Ii/6C8N56vlbci9P3NwOVC910Jj6GAFj2Ci4zCNz0tstpu7cDE2/okRR4jBzisOpr2FCaHWUfkZUiGm7ueCg/T+v2Z0HM8qcG//+iMlvHcb5yXKUObDvW8CYsMzNW0Zdhs/qf6WkPpp6QBeWxVB+5QUfMZ+F0fP3fRaerjwh6mGkOVl7QODHcIcp153yX8JxU+c0ndRacNywPBGmxTQ==</SignatureValue></Signature></bom>

Code:

import sys
from typing import TYPE_CHECKING
from defusedxml import ElementTree as SafeElementTree  # type:ignore[import-untyped]
from cyclonedx.exception import MissingOptionalDependencyException
from cyclonedx.model.bom import Bom
from cyclonedx.schema import OutputFormat, SchemaVersion
from cyclonedx.validation import make_schemabased_validator

if TYPE_CHECKING:
    from cyclonedx.validation.xml import XmlValidator


with open("bom.xml", "r") as f:
    xml_data = f.read()

my_xml_validator: "XmlValidator" = make_schemabased_validator(
    OutputFormat.XML, SchemaVersion.V1_6
)
try:
    xml_validation_errors = my_xml_validator.validate_str(xml_data)
    if xml_validation_errors:
        print(
            "XML invalid",
            "ValidationError:",
            repr(xml_validation_errors),
            sep="\n",
            file=sys.stderr,
        )
        sys.exit(2)
    print("XML valid")
except MissingOptionalDependencyException as error:
    print("XML-validation was skipped due to", error)
bom_from_xml = Bom.from_xml(  # type: ignore[attr-defined]
    SafeElementTree.fromstring(xml_data)
)
print("bom_from_xml", repr(bom_from_xml))

Output:

❯ python main.py
XML valid
Traceback (most recent call last):
  File "./main.py", line 34, in <module>
    bom_from_xml = Bom.from_xml(  # type: ignore[attr-defined]
        SafeElementTree.fromstring(xml_data)
    )
  File "./.venv/lib/python3.13/site-packages/py_serializable/__init__.py", line 651, in from_xml
    raise ValueError(f'{decoded_k} is not a known Property for {cls.__module__}.{cls.__qualname__}')
ValueError: {http://www.w3.org/2000/09/xmldsig#}_signature is not a known Property for cyclonedx.model.bom.Bom

Possible duplicate of #696? I just wanted to confirm in case this is unexpected.

[jkowalleck]

technical background:

the XML schema is "lax", so that it keeps the idea of XML being eXtensible.
in this exact case, the schema defines bom as

<xs:element name="bom">
   <xs:complexType>
      <xs:sequence>
         <xs:element name="metadata" type="bom:metadata" minOccurs="0" maxOccurs="1"/>
         <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1"/>
<!-- [...] -->
         <xs:element name="definitions" type="bom:definitionsType" minOccurs="0" maxOccurs="1"/>
         <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
      </xs:sequence>
      <xs:attribute name="version" type="xs:positiveInteger" default="1"/>
      <xs:attribute name="serialNumber" type="bom:urnUuid"/>
      <xs:anyAttribute namespace="##any" processContents="lax"/>
   </xs:complexType>
   <xs:unique name="bom-ref">
      <xs:selector xpath=".//*"/>
      <xs:field xpath="@bom-ref"/>
   </xs:unique>
</xs:element>

see this <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> allows the existence of elements defined in another namespace.
These elements should be ignored when deserialization happens.

the needed feature to handle arbitrary extended elements/attributes was not implemented, yet.

[jkowalleck]

Possible duplicate of #696? I just wanted to confirm in case this is unexpected.

nope, not a feature lack in the python CycloneDX library, but a feature lack in the XML deserialize library(1) - as described here: #850 (comment)

PS: caused madpah/serializable#176

[makew0rld]

Thanks for looking into this. I would guess this means this library doesn't support extracting signature information from the BOM? Is there a way to do that, or is that what #696 is about.

[jkowalleck]

XML signature is not part if the CycloneDX spec, or is it?
We intend to support the full CycloneDX spec eventually, and only the CycloneDX spec.

[makew0rld]

The spec mentions "XML Signature" twelve times. As far as I can tell it's definitely part of it, same as JSON signing (through JSF) is.

[jkowalleck]

The spec mentions "XML Signature" twelve times. As far as I can tell it's definitely part of it, same as JSON signing (through JSF) is.

Only for JSON implementation of CycloneDX, not for XML implementation, right?

[makew0rld]

Looking at some more pages, it seems XML signing is not part of the CycloneDX schema, and lives in a different namespace. But it is part of the CycloneDX spec. It comes up again and again:

See also CycloneDX/specification#10.

In my opinion this library should support accessing signatures since they are so prominently featured in the specification. This would also match functionality between JSON and XML (although I know JSON sigs aren't supported in this lib yet).

[jkowalleck]

if you feel the need for a signing feature, please open a new ticket for this.