VDR Generated by Library doesn't pass validation #653
Description
Hello,
I use this library to generate a Vulnerability Disclosure Report for Adoptium Temurin (OpenJDK Build): https://github.com/adoptium/temurin-vdr-generator/blob/main/cvereporter/report.py
As an example, see https://github.com/adoptium/temurin-vdr-generator/actions/runs/9914996771
However, it doesn't pass validation on https://cyclonedx.github.io/cyclonedx-web-tool/convert which I'm guessing is powered by https://github.com/CycloneDX/sbom-utility
It would be nice if the library could somehow prevent me from generating an invalid sbom.
Errors from running the utility locally include:
Welcome to the sbom-utility! Version `v0.16.0` (sbom-utility) (windows/amd64)
=============================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `vdr.json`...
[INFO] Successfully unmarshalled data from: `vdr.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Loading schema `schema/cyclonedx/1.4/bom-1.4.schema.json`...
[INFO] Schema `schema/cyclonedx/1.4/bom-1.4.schema.json` loaded.
[INFO] Validating `vdr.json`...
[INFO] BOM valid against JSON schema: `false`
[INFO] (1157) schema errors detected.
[INFO] Formatting error results (`txt` format)...
[INFO] Too many errors. Showing (10/1157) errors.
1. {
"type": "invalid_type",
"field": "metadata.component.supplier",
"context": "(root).metadata.component.supplier",
"description": "Invalid type. Expected: object, given: string",
"value": "Eclipse foundation"
}
2. {
"type": "invalid_type",
"field": "vulnerabilities.0.ratings.0.score",
"context": "(root).vulnerabilities.0.ratings.0.score",
"description": "Invalid type. Expected: number, given: string",
"value": "7.5"
}
3. {
"type": "invalid_type",
"field": "vulnerabilities.0.ratings.1.source",
"context": "(root).vulnerabilities.0.ratings.1.source",
"description": "Invalid type. Expected: object, given: string",
"value": "https://openjdk.org/groups/vulnerability/advisories/2019-04-16"
}
4. {
"type": "invalid_type",
"field": "vulnerabilities.0.ratings.1.score",
"context": "(root).vulnerabilities.0.ratings.1.score",
"description": "Invalid type. Expected: number, given: string",
"value": "7.5"
}
5. {
"type": "number_one_of",
"field": "vulnerabilities.0.affects.0.versions.0",
"context": "(root).vulnerabilities.0.affects.0.versions.0",
"description": "Must validate one and only one schema (oneOf)",
"value": "11.0.2"
}
6. {
"type": "number_one_of",
"field": "vulnerabilities.0.affects.0.versions.1",
"context": "(root).vulnerabilities.0.affects.0.versions.1",
"description": "Must validate one and only one schema (oneOf)",
"value": "12"
}
7. {
"type": "number_one_of",
"field": "vulnerabilities.0.affects.0.versions.2",
"context": "(root).vulnerabilities.0.affects.0.versions.2",
"description": "Must validate one and only one schema (oneOf)",
"value": "7u211"
}
8. {
"type": "number_one_of",
"field": "vulnerabilities.0.affects.0.versions.3",
"context": "(root).vulnerabilities.0.affects.0.versions.3",
"description": "Must validate one and only one schema (oneOf)",
"value": "8u202"
}
9. {
"type": "invalid_type",
"field": "vulnerabilities.1.ratings.0.score",
"context": "(root).vulnerabilities.1.ratings.0.score",
"description": "Invalid type. Expected: number, given: string",
"value": "5.9"
}
10. {
"type": "invalid_type",
"field": "vulnerabilities.1.ratings.1.source",
"context": "(root).vulnerabilities.1.ratings.1.source",
"description": "Invalid type. Expected: object, given: string",
"value": "https://openjdk.org/groups/vulnerability/advisories/2019-04-16"
}
[ERROR] invalid SBOM: schema errors found (vdr.json)
[INFO] document `vdr.json`: valid=[false]