🐛 jake json output in cyclonedx not parsed #9873
Conversation
|
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Tip Get answers to your security questions. Add a comment in this PR starting with @DryRunSecurity. For example... Powered by DryRun Security |
manuel-sommer
force-pushed
the
jake_cyclonedx
branch
from
8982638 to
a9f4623
Compare
|
@manuel-sommer We should be checking that CycloneDX files from tool vendors are actually valid per the spec before adjusting the CycloneDX parser. I just had a conversation with Steve Springett (person who created CycloneDX) about vendor tool support and his any my experience agree that vendors say "we output ClycloneDX" but the really output "CycloneDX-ish" files. If I look at the the JSON unit test file for Jake at https://cyclonedx.github.io/cyclonedx-web-tool/validate, I get: If it's not valid CycloneDX, it's probably better to create a Jake specific parser rather than make our CycloneDX parser parse invalid CycloneDX. That validator above was the first online one I found - it may not be the best but I still think the CycloneDX parser should probably only parse valid versions and have vendor-specific parsers when the tool provides invalid formats. I'll ask around and see if there's a better CycloneDX validator than that one I found online. |
@manuel-sommer i suggest a specific parser for Jake be implemented instead. |
|
OK. I got curious and ran this official CycloneDX validator from https://github.com/CycloneDX/cyclonedx-cli against the unit test files at So the net result of that was these are valid:
And these are invalid:
I also repeated for XML with these results (all XML unit test files are valid)
|
|
@manuel-sommer So I love that you were fixing an issue with Jake's CycloneDX parser (Thanks for that 🙏 ) but it looks like the right path forward is to: (A) Look at jake.json and figure out how we got an invalid CycloneDX file as a unit-test file. I'd not spend a bunch of time on that but whatever is discovered either:
2 is the best since we're sure we're getting recent & valid output from Jake. I have no clue how old/state jake.json is but that's one possibility. (B) Remove the invalid json files and update the unit tests to use valid files instead. Ideally, you could use the file generated in 2 above to replace the invalid ones as well. I've not had a chance to look at what unit tests use those invalid files but they'll need to be updated once the invalid JSON files are removed so they keep passing when getting called. |
|
I removed jake.json. I don't think I will make a PR to support jake.json as there also exists a jake2.json file which is valid. Maybe, jake.json was an outdated version of jake. Regarding cyclonedx_cwe.json I was not able to detect on why the schema is invalid. Furthermore, it would be an option to include cyclonedx-cli to validate cyclonedx directly on the input, but it has no python package. I found https://pypi.org/project/cyclonedx-editor-validator/ but that validator is inconsistent and does not look like being stable. |
Understandable about not making a separate Jake parser based on that invalid jake.json file. I also didn't find a good Python equivalent to cyclonedx-cli in Python. Something we can do in the future. So this PR now just removes that invalid jake.json file 👍 |
|
@manuel-sommer Before we approve & merge this PR, would you mind removing the cyclonedx_cwe.json file and it's matching unit test so all the invalid CycloneDX files are removed in this PR? |
|
Done @mtesauro |
* 🐛 jake json output in cyclonedx not parsed * remove jake as it is invalid * flake8 * remove cyclonedx_cwe
Exisiting jake.json in cyclonedx is not considered in the parser.