Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-91552

Server master sbom.json fails validation in sbom-utility

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • ALL

      While working on uploading server sboms to blackduck I found that we might have a problem with the sbom.
      I ran sbom-utility to validate mongost master sbom.json and it failed validation 

      sbom-utility-v0.16.0-darwin-arm64/sbom-utility validate -i sbom.json
Welcome to the sbom-utility! Version `v0.16.0` (sbom-utility) (darwin/arm64)
============================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `sbom.json`...
[INFO] Successfully unmarshalled data from: `sbom.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Loading schema `schema/cyclonedx/1.5/bom-1.5.schema.json`...
[INFO] Schema `schema/cyclonedx/1.5/bom-1.5.schema.json` loaded.
[INFO] Validating `sbom.json`...
[INFO] BOM valid against JSON schema: `false`
[INFO] (1) schema errors detected.
[INFO] Formatting error results (`txt` format)...
1. {
        "type": "invalid_type",
        "field": "components.25.evidence.occurrences.0.location",
        "context": "(root).components.25.evidence.occurrences.0.location",
        "description": "Invalid type. Expected: string, given: array",
        "value": [
            "src/mongo/shell/linenoise.h",
            "src/mongo/shell/linenoise.cpp"
        ]
    }
[ERROR] invalid SBOM: schema errors found (sbom.json)
[INFO] document `sbom.json`: valid=[false]

      Can someone please check if that's a legit problem?

            Assignee:
            Unassigned Unassigned
            Reporter:
            zakhar.kleyman@mongodb.com Zakhar Kleyman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: