Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM XML namespace cannot be parsed by dependencytrack #88

Closed
hedtke opened this issue Nov 6, 2023 · 9 comments · Fixed by #89
Closed

SBOM XML namespace cannot be parsed by dependencytrack #88

hedtke opened this issue Nov 6, 2023 · 9 comments · Fixed by #89

Comments

@hedtke
Copy link
Contributor

hedtke commented Nov 6, 2023

Uploading an SBOM in XML 1.4 format results in parsing errors in dependencytrack. The namespace ns0 cannot be parsed properly.

The image shows two SBOMs in XML format. The one created by this extension uses xmlns:ns0 and the parser crashes:

2023-11-06 07:46:03,118 WARN [BomUploadProcessingTask] The BOM uploaded is not in a supported format. Supported formats include CycloneDX XML and JSON

The other example created with another tool does not use the namespace and dependencytrack works fine
Bild

Can we deactivate the ns0?
@memsharded
Copy link
Member

We might need the inputs from @jkowalleck
and @andreas-hilti here?

@jkowalleck
Copy link
Contributor

Can we deactivate the ns0?

sure can.
the was also a feature of CycloneDX/cyclonedx-python-lib#438
which was released via https://github.com/CycloneDX/cyclonedx-python-lib/releases/tag/v5.0.0

@memsharded
Copy link
Member

Thanks @jkowalleck

Lets remove them then! Do you plan to do the PR yourself @hedtke ?

@jkowalleck
Copy link
Contributor

jkowalleck commented Nov 6, 2023
edited
Loading

Anyway

The namespace ns0 cannot be parsed properly.

If this was true, then @DependencyTrack was bugged.
FYI: @nscuro @msymons

@hedtke
Copy link
Contributor Author

hedtke commented Nov 7, 2023

This is the problematic file. It is our guess that the namespace is the issue. When I switch from XML to JSON, dependency track works fine. Maybe the problem is somewhere else?
bom.xml.zip

@jkowalleck
Copy link
Contributor

the XML is invalid to the schema. this is due to a bug in cyclonedx-python-lib>=4,<5 (v4.*)
you should depend on cyclonedx-python-lib>=3.1.5,!=4.*,<6

details:

@hedtke
Copy link
Contributor Author

hedtke commented Nov 7, 2023

The extension needs to be changed, because it is not compatible with v5. I could look into that within the next days. Just installing v5 instead of v4 does not work: LicenseChoice does not exist anymore

@jkowalleck
Copy link
Contributor

jkowalleck commented Nov 7, 2023
edited
Loading

i do not see why you would care for LicenseChoice at all.

here are some hints for migrating your code:

def cyclonedx_major_version_is_5() -> bool:
  try:
     from cyclonedx import __version__
     return __version__[0] == 5
  except ImportError:
    return False

more important is the API change related to the LicenseFactory
that is documented here https://github.com/CycloneDX/cyclonedx-python-lib/releases/tag/v5.0.0
and showcased here https://github.com/CycloneDX/cyclonedx-python-lib/blob/v5.0.0/examples/complex.py

@hedtke hedtke mentioned this issue Nov 8, 2023
Merged
@hedtke
Copy link
Contributor Author

hedtke commented Nov 8, 2023

Thanks @jkowalleck

Lets remove them then! Do you plan to do the PR yourself @hedtke ?

PR created: #89

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[SBOM] Drop support for cyclonedx-python-lib v4 hedtke/fork_conan-extensions
3 participants
@hedtke @jkowalleck @memsharded