cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard
verified publisher icon CycloneDX

Validate command incorrectly reports an error for `GD` license

Open kkovaletp opened this issue 4 years ago • 3 comments

I've validated SBOM by the command cyclonedx-cli validate --input-file ${NGINX_REPORTS}/Details/Anchore-SBOM.xml --input-version v1_4, built by Anchore Syft with next component inside:

<component type="library">
<publisher>GD Team <[email protected]></publisher>
<name>libgd3</name>
<version>2.3.0-2</version>
<licenses>
<license>
<id>BSD-3-Clause</id>
</license>
<license>
<id>GD</id>
</license>
<license>
<id>GPL-2.0</id>
</license>
<license>
<id>GPL-2.0+</id>
</license>
<license>
<id>HPND</id>
</license>
<license>
<id>MIT</id>
</license>
</licenses>
<cpe>cpe:2.3:a:libgd3:libgd3:2.3.0-2:*:*:*:*:*:*:*</cpe>
<purl>pkg:deb/debian/[email protected]?arch=amd64&upstream=libgd2&distro=debian-11</purl>
<properties>
<property name="syft:package:foundBy">dpkgdb-cataloger</property>
<property name="syft:package:metadataType">DpkgMetadata</property>
<property name="syft:package:type">deb</property>
<property name="syft:location:0:layerID">sha256:c91abae8e127264382b71f8b64fdbab94c0b9a146d2969e64fa087c3b3ca2c68</property>
<property name="syft:location:0:path">/var/lib/dpkg/status</property>
<property name="syft:location:1:layerID">sha256:c91abae8e127264382b71f8b64fdbab94c0b9a146d2969e64fa087c3b3ca2c68</property>
<property name="syft:location:1:path">/var/lib/dpkg/info/libgd3:amd64.md5sums</property>
<property name="syft:location:2:layerID">sha256:c91abae8e127264382b71f8b64fdbab94c0b9a146d2969e64fa087c3b3ca2c68</property>
<property name="syft:location:2:path">/usr/share/doc/libgd3/copyright</property>
<property name="syft:metadata:installedSize">463</property>
<property name="syft:metadata:source">libgd2</property>
</properties>
</component>

And I've got next output from the tool:

Validating XML BOM...
Validation failed at line number 10264 and position 19: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'GD' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed.
BOM is not valid.

However, The spec has an explicit list of licenses: https://cyclonedx.org/docs/1.4/json/#components_items_licenses_items_license_id One of them is "GD"

kkovaletp avatar Mar 19 '22 05:03 kkovaletp

Support for GD was introduced in SPDX license list v3.12.

It appears the SPDX license list used by cyclonedx-dotnet-library is still at 3.10.

The current version is v3.16 and is available at:

  • https://github.com/CycloneDX/specification/blob/master/schema/spdx.schema.json
  • https://github.com/CycloneDX/specification/blob/master/schema/spdx.xsd

@coderpatros Likely just need to update the schema in the dotnet-library, release, and bump the version used in the CLI and release an updated version.

stevespringett avatar Mar 19 '22 21:03 stevespringett

@kkovaletp this should be resolved now in the v0.24.0 release.

coderpatros avatar Mar 25 '22 03:03 coderpatros

Unfortunately, it is not(

> cyclonedx-cli --version
0.24.0

> cyclonedx-cli validate --input-file ${NGINX_REPORTS}/Details/Anchore-SBOM.xml --input-version v1_4
Validating XML BOM...
Validation failed at line number 10282 and position 19: The 'http://cyclonedx.org/schema/bom/1.4:id' element is invalid - The value 'GD' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed.
BOM is not valid.

kkovaletp avatar Mar 28 '22 06:03 kkovaletp