Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to load JSON 1.4 format #610

Closed
pombredanne opened this issue May 5, 2024 · 5 comments
Closed

Failed to load JSON 1.4 format #610

pombredanne opened this issue May 5, 2024 · 5 comments
Labels
question Further information is requested

Comments

@pombredanne
Copy link

pombredanne commented May 5, 2024
edited
Loading

A license was found in some CDX 1.4 doc with this data:

"licenses":[{}]

This makes the validation fail and the doc does not load.
This is another example where we should be able to load the document, normalize and report a warning but not fail entirely.

NB: this is a document produced by some proprietary tool that I do not control.

@tomd ping
@jkowalleck jkowalleck added the question Further information is requested label May 5, 2024
@jkowalleck
Copy link
Member

hould be able to load the document, normalize and report a warning but not fail entirely.

Why do you think so?
Your case is invalid input and should not load at all.

The following JSON would be schema invalid:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:47381185-339e-4087-a118-ef1d8e6e1d3f",
  "version": 1337,
  "components": [
    {
      "type": "library",
      "name": "regression for issue #610",
      "externalReferences": [
        {
          "type": "other",
          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues/610"
        }
      ],
      "licenses": [{}]
    }
  ]
}

@pombredanne
Copy link
Author

pombredanne commented May 5, 2024
edited
Loading

@jkowalleck I get that this is schema invalid, but there are tools (not mine) that create such data.

I think that the library should accept "almost" valid docs as they are seen in the wild. If it cannot, then this is mostly useless as not only it cannot process these documents, but also one cannot load them first to diagnose the issue.

And this kind of problems forces the users to create pre-processing code to fix things up, not a good thing IMHO and this is a disservice to this library.

Note that this issue is mostly the same as #600 : validating the data should be an option and should not be strict all the times.

@jkowalleck
Copy link
Member

jkowalleck commented May 5, 2024
edited
Loading

one cannot load them first to diagnose the issue.

Is that so? This library comes with a schema validator. Is it not able to detect this invalid document?

validating the data should be an option and should not be strict all the times.

this is not an issue of validating, but the fact that invalid data is not expected to work in no way. There is just no defined way to "load" invalid data. You could argue to have behavior A, others could argue to have behavior B - when there is just no correct behavior for this case in the first place.

PS: see https://cyclonedx-python-library.readthedocs.io/en/latest/examples.html#complex-deserialize for an example of deserialization after successful validation.

@pombredanne
Copy link
Author

So basically some CDX will not be loadable by this library short of writing an external wrapper.

@jkowalleck
Copy link
Member

So basically some CDX will not be loadable

This library is responsible for loading all VALID CycloneDX.
This goal is not reached yet. see #581 & #578 & #537

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pombredanne @jkowalleck