Skip to content

Commit

Permalink
Fix validation error when XML BOM declares multiple namespaces
Browse files Browse the repository at this point in the history 
Signed-off-by: Philipp Nanz <[email protected]>
  • Loading branch information
@philippn @nscuro
philippn authored and nscuro committed Aug 7, 2024
1 parent 67f7579 commit b5c7d4e
Show file tree
Hide file tree
Showing 3 changed files with 109 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,10 @@ private Version detectSchemaVersionFromXml(final byte[] bomBytes) throws XMLStre
case NS_BOM_16 -> VERSION_16;
default -> null;
};

if (schemaVersion != null) {
break;
}
}

if (schemaVersion == null) {
Expand Down
6 changes: 6 additions & 0 deletions src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1079,4 +1079,10 @@ public void uploadBomTooLargeViaPutTest() {
""");
}

@Test
public void validateCycloneDxBomWithMultipleNamespacesTest() throws Exception {
byte[] bom = resourceToByteArray("/unit/bom-issue4008.xml");
assertThatNoException().isThrownBy(() -> CycloneDxValidator.getInstance().validate(bom));
}

}
99 changes: 99 additions & 0 deletions src/test/resources/unit/bom-issue4008.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="1">
<metadata>
<authors>
<author>
<name>Author</name>
<email>[email protected]</email>
<phone>123-456-7890</phone>
</author>
</authors>
<component type="application" bom-ref="acme">
<supplier>
<name>Foo Incorporated</name>
<url>https://foo.bar.com</url>
<contact>
<name>Foo Jr.</name>
<email>[email protected]</email>
<phone>123-456-7890</phone>
</contact>
</supplier>
<publisher>DependencyTrack</publisher>
<name>Acme example</name>
<externalReferences>
<reference type="build-system">
<url>https://acme.example</url>
</reference>
<reference type="distribution">
<url>https://acme.example</url>
</reference>
<reference type="issue-tracker">
<url>https://acme.example</url>
</reference>
<reference type="vcs">
<url>https://acme.example</url>
</reference>
</externalReferences>
</component>
<manufacture>
<name>Foo Incorporated</name>
<url>https://foo.bar.com</url>
<contact>
<name>Foo Sr.</name>
<email>[email protected]</email>
<phone>800-123-4567</phone>
</contact>
</manufacture>
<supplier>
<name>Foo Incorporated</name>
<url>https://foo.bar.com</url>
<contact>
<name>Foo Jr.</name>
<email>[email protected]</email>
<phone>123-456-7890</phone>
</contact>
</supplier>
</metadata>
<components>
<component type="application">
<supplier>
<name>Foo Incorporated</name>
<url>https://foo.bar.com</url>
<contact>
<name>Foo Jr.</name>
<email>[email protected]</email>
<phone>123-456-7890</phone>
</contact>
</supplier>
<author>Sometimes this field is long because it is composed of a list of authors......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................</author>
<publisher>Example Incorporated</publisher>
<group>com.example</group>
<name>xmlutil</name>
<version>1.0.0</version>
<description>A makebelieve XML utility library</description>
<hashes>
<hash alg="MD5">2b67669c925048d1a5c7f124d9ba1d2a</hash>
<hash alg="SHA-1">72ca79908c814022905e86f8bbecd9b829352139</hash>
<hash alg="SHA-256">1389877662864d2bb0488b4b1e417ce5647a1687084341178a203b243dfe90e7</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
</license>
</licenses>
<copyright>Copyright Example Inc. All rights reserved.</copyright>
<cpe>cpe:/a:example:xmlutil:1.0.0</cpe>
<purl>pkg:maven/com.example/[email protected]?packaging=jar</purl>
<modified>false</modified>
<properties>
<property name="">foo</property>
<property name="foo">bar</property>
<property name="foo:bar">baz</property>
<property name="foo:bar">qux</property>
<property name="foo:bar">qux</property>
<property name="long">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</property>
</properties>
</component>
</components>
</bom>

0 comments on commit b5c7d4e

Please sign in to comment.