CDX License Support

[giocol91]

scancode_cyclone.json

Description

I experimented with the sbom cyclonedx format in order to import it into 4.12 Dependency track web app (https://dependencytrack.org/). Attached you can find a cyclonedx json sbom created on a project via --package --cyclonedx=scancode_cyclone.json -n 4 options with Scancode toolkit. The json schema can’t be imported into the web app and fails also the validation via cyclonedx-cli. I was just going deeper in finding the differences in the schemas comparing with other cyclone dx bom examples that I managed to import correctly. Has anybody reported this problem? I have seen in one of your presentation online on slideshares that as a roadmap you’re going to adapt more and more this standard.

System configuration

• What OS are you running on? I tried locally on Windows and Linux
• What version of scancode-toolkit was used to generate the scan file? Latest
• What installation method was used to install/run scancode? (pip/source download/other) Via pip

[mjherzog]

@giocol91 Please document the error you encountered.
Note that this is a CDX v1.3 SBOM.

[mjherzog]

I tried to load this SBOM into SCIO 34.8.0 and got the following error in step: [get_packages_from_sboms]

CycloneDX document "scancode_cyclone.json" is not valid:
None is not of type 'string'

Failed validating 'type' in schema['properties']['components']['items']['properties']['group']:
{'type': 'string',
'title': 'Component Group',
'description': 'The grouping name or identifier. This will often be a '
'shortened, single name of the company or project that '
'produced the component, or the source package or '
'domain name. Whitespace and special characters should '
'be avoided. Examples include: apache, '
'org.apache.commons, and apache.org.',
'examples': ['com.acme']}

On instance['components'][0]['group']:
None

Traceback:
File "/opt/scancodeio/aboutcode/pipeline/init.py", line 199, in execute
step(self)
File "/opt/scancodeio/scanpipe/pipelines/load_sbom.py", line 58, in get_packages_from_sboms
self.packages = resolve.get_packages(
^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 76, in get_packages
if packages := resolve_manifest_resources(resource, package_registry):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 52, in resolve_manifest_resources
packages = get_packages_from_manifest(resource.location, package_registry) or []
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/resolve.py", line 176, in get_packages_from_manifest
resolved_packages = resolver(input_location=input_location)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/cyclonedx.py", line 311, in resolve_cyclonedx_packages
cyclonedx_bom = get_bom_instance_from_file(input_location)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/scancodeio/scanpipe/pipes/cyclonedx.py", line 303, in get_bom_instance_from_file
raise ValueError(error_msg)

[pombredanne]

@giocol91 Thanks for the report. We need to fix this alright. Note that ScanCode.io at https://github.com/aboutcode-org/scancode.io that also embeds scancode-toolkit produces CycloneDX formats that should be schema valid.

[pombredanne]

Please document the error you encountered.
Note that this is a CDX v1.3 SBOM.

@giocol91 the error messages would be very useful!