From f50463f7ff583a8c6fdb397df81e51acfd5eff46 Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Mon, 13 May 2024 11:21:08 +0200
Subject: [PATCH] Fix failing JSON BOM validation when `specVersion` is not one
 of the first fields

Problem was that the search for `specVersion` was aborted upon encountering a `}` token. It should be `EOF` (or `null` in case of `JsonParser#nextToken`) instead.

Fixes #3696

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 .../parser/cyclonedx/CycloneDxValidator.java       |  2 +-
 .../parser/cyclonedx/CycloneDxValidatorTest.java   | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java b/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
index 84afedc263..1ed7baf283 100644
--- a/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
+++ b/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
@@ -126,7 +126,7 @@ private CycloneDxSchema.Version detectSchemaVersionFromJson(final byte[] bomByte
             }
 
             CycloneDxSchema.Version schemaVersion = null;
-            while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
+            while (jsonParser.nextToken() != null) {
                 final String fieldName = jsonParser.getCurrentName();
                 if ("specVersion".equals(fieldName)) {
                     if (jsonParser.nextToken() == JsonToken.VALUE_STRING) {
diff --git a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
index 6ec7f2b48a..4c04359b4f 100644
--- a/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
+++ b/src/test/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidatorTest.java
@@ -22,6 +22,7 @@
 import org.junit.Test;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.assertj.core.api.Assertions.assertThatNoException;
 
 public class CycloneDxValidatorTest {
 
@@ -162,4 +163,17 @@ public void testValidateXmlWithInvalidComponentType() {
                                 valid with respect to its type, 'classification'.""");
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/3696
+    public void testValidateJsonWithSpecVersionAtTheBottom() {
+        assertThatNoException()
+                .isThrownBy(() -> validator.validate("""
+                        {
+                          "metadata": {},
+                          "components": [],
+                          "bomFormat": "CycloneDX",
+                          "specVersion": "1.5"
+                        }
+                        """.getBytes()));
+    }
+
 }
\ No newline at end of file