From b5c7d4ebe3d2d4eb18e325e96eb4ac9b77b0c967 Mon Sep 17 00:00:00 2001
From: Philipp Nanz <philippn@gmail.com>
Date: Wed, 31 Jul 2024 10:56:51 +0200
Subject: [PATCH] Fix validation error when XML BOM declares multiple
 namespaces

Signed-off-by: Philipp Nanz <philippn@gmail.com>
---
 .../parser/cyclonedx/CycloneDxValidator.java  |  4 +
 .../resources/v1/BomResourceTest.java         |  6 ++
 src/test/resources/unit/bom-issue4008.xml     | 99 +++++++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 src/test/resources/unit/bom-issue4008.xml

diff --git a/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java b/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
index 991ebcb579..6da17ac789 100644
--- a/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
+++ b/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
@@ -195,6 +195,10 @@ private Version detectSchemaVersionFromXml(final byte[] bomBytes) throws XMLStre
                         case NS_BOM_16 -> VERSION_16;
                         default -> null;
                     };
+
+                    if (schemaVersion != null) {
+                        break;
+                    }
                 }
 
                 if (schemaVersion == null) {
diff --git a/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
index fa48b76e6c..1cc5be81e1 100644
--- a/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
+++ b/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
@@ -1079,4 +1079,10 @@ public void uploadBomTooLargeViaPutTest() {
                 """);
     }
 
+    @Test
+    public void validateCycloneDxBomWithMultipleNamespacesTest() throws Exception {
+        byte[] bom = resourceToByteArray("/unit/bom-issue4008.xml");
+        assertThatNoException().isThrownBy(() -> CycloneDxValidator.getInstance().validate(bom));
+    }
+
 }
diff --git a/src/test/resources/unit/bom-issue4008.xml b/src/test/resources/unit/bom-issue4008.xml
new file mode 100644
index 0000000000..f4d2a5630b
--- /dev/null
+++ b/src/test/resources/unit/bom-issue4008.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="1">
+    <metadata>
+        <authors>
+            <author>
+                <name>Author</name>
+                <email>author@example.com</email>
+                <phone>123-456-7890</phone>
+            </author>
+        </authors>
+        <component type="application" bom-ref="acme">
+            <supplier>
+                <name>Foo Incorporated</name>
+                <url>https://foo.bar.com</url>
+                <contact>
+                    <name>Foo Jr.</name>
+                    <email>foojr@bar.com</email>
+                    <phone>123-456-7890</phone>
+                </contact>
+            </supplier>
+            <publisher>DependencyTrack</publisher>
+            <name>Acme example</name>
+            <externalReferences>
+                <reference type="build-system">
+                    <url>https://acme.example</url>
+                </reference>
+                <reference type="distribution">
+                    <url>https://acme.example</url>
+                </reference>
+                <reference type="issue-tracker">
+                    <url>https://acme.example</url>
+                </reference>
+                <reference type="vcs">
+                    <url>https://acme.example</url>
+                </reference>
+            </externalReferences>
+        </component>
+        <manufacture>
+            <name>Foo Incorporated</name>
+            <url>https://foo.bar.com</url>
+            <contact>
+                <name>Foo Sr.</name>
+                <email>foo@bar.com</email>
+                <phone>800-123-4567</phone>
+            </contact>
+        </manufacture>
+        <supplier>
+           <name>Foo Incorporated</name>
+            <url>https://foo.bar.com</url>
+            <contact>
+                <name>Foo Jr.</name>
+                <email>foojr@bar.com</email>
+                <phone>123-456-7890</phone>
+            </contact>
+        </supplier>
+    </metadata>
+    <components>
+        <component type="application">
+            <supplier>
+                <name>Foo Incorporated</name>
+                <url>https://foo.bar.com</url>
+                <contact>
+                    <name>Foo Jr.</name>
+                    <email>foojr@bar.com</email>
+                    <phone>123-456-7890</phone>
+                </contact>
+            </supplier>
+			<author>Sometimes this field is long because it is composed of a list of authors......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................</author>
+            <publisher>Example Incorporated</publisher>
+            <group>com.example</group>
+            <name>xmlutil</name>
+            <version>1.0.0</version>
+            <description>A makebelieve XML utility library</description>
+            <hashes>
+                <hash alg="MD5">2b67669c925048d1a5c7f124d9ba1d2a</hash>
+                <hash alg="SHA-1">72ca79908c814022905e86f8bbecd9b829352139</hash>
+                <hash alg="SHA-256">1389877662864d2bb0488b4b1e417ce5647a1687084341178a203b243dfe90e7</hash>
+            </hashes>
+            <licenses>
+                <license>
+                    <id>Apache-2.0</id>
+                    <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+                </license>
+            </licenses>
+            <copyright>Copyright Example Inc. All rights reserved.</copyright>
+            <cpe>cpe:/a:example:xmlutil:1.0.0</cpe>
+            <purl>pkg:maven/com.example/xmlutil@1.0.0?packaging=jar</purl>
+            <modified>false</modified>
+            <properties>
+                <property name="">foo</property>
+                <property name="foo">bar</property>
+                <property name="foo:bar">baz</property>
+                <property name="foo:bar">qux</property>
+                <property name="foo:bar">qux</property>
+                <property name="long">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</property>
+            </properties>
+        </component>
+    </components>
+</bom>