-
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax validation of license name field #733
Conversation
The `name` field of the `license` type is specified differently in the schema files. The [1.5 JSON schema](https://github.com/CycloneDX/specification/blob/master/schema/bom-1.5.schema.json#L753-L758) does not define any restriction or pattern for this field. On the other hand the [1.5 XML schema definition](https://github.com/CycloneDX/specification/blob/master/schema/bom-1.5.xsd#L649-L653) declares the `name` field a `NormalizedString`. The latter does not allow certain characters, e.g. `\n`, `\t`, to be present inside the string. This change relaxes the validation of the license name field to allow validation for JSON loaded BOM files as well. * remove validation checks for license name field Signed-off-by: Sebastian Ziebell <[email protected]>
What is the motivation here? Is the library found incompatible with some SBOMs found in the wild? If we do this, we can potentially load more JSONs but then converting the SBOM to XML will fail, which is a footgun. If the 1.6 draft schemas change this, I could see this being a bugfix we could just apply. But as it is, it looks like the specification contradicting itself to me, and I'd prefer to seek clarification upstream before doing anything. Are you in CycloneDX slack? I can add you if not. |
Hi @Shnatsel , @lfrancke stumbled upon a validation error after loading a BOM file in JSON format. When I checked the schema definitions for the
That would be good, I think Lars has moved the discussion to Slack. |
Conclusions from the Slack discussion:
@justahero do you think this is feasible? Relevant snippet of Slack discussion: |
Hi @Shnatsel ,
My understanding is other XML libraries know how to handle the
You are right, the serialization code using To illustrate pub struct NewStringType(pub String);
impl FromXml for NewStringType {
fn read_xml_element<R: std::io::Read>(
event_reader: &mut xml::EventReader<R>,
element_name: &xml::name::OwnedName,
_attributes: &[xml::attribute::OwnedAttribute],
) -> Result<Self, crate::errors::XmlReadError>
where
Self: Sized,
{
let read_string = read_simple_tag(event_reader, element_name)?;
// replace forbidden chars
Ok(NewStringType(read_string))
}
}
// then to parse a `normalizedstring` using the `NewStringType`, applying replacement of forbidden chars
let vendor = NewStringType::read_xml_element(&event_reader, &name, &attributes)?; Is this close to what you had in mind? |
I feel this warrants its own GH issue, as it requires more work to fix the serialization code. @Shnatsel, your comments got me further thinking about the serialization issue. I'm now uncertain if we should use the |
Yes, that's exactly it. Plus a similar replacement pass in serialization too.
I agree. I think we should not use |
I would like to close this PR in favour of #737 |
SGTM |
The
name
field of thelicense
type is specified differently in the schema files. The 1.5 JSON schema does not define any restriction or pattern for this field. On the other hand the 1.5 XML schema definition declares thename
field aNormalizedString
. The latter does not allow certain characters, e.g.\n
,\t
, to be present inside the string.This change relaxes the validation of the license name field to allow validation for JSON loaded BOM files as well.