cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard
verified publisher icon CycloneDX

Vadation failure: The value 'Kazlib' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId'

Open DavidJuanes opened this issue 2 years ago • 3 comments

I have created a SBOM using Syft, for the following docker image: debian:bookworm-slim Here is the produced SBOM: syft-bom.zip

When I validate it using cyclonedx-cli, I get the following error: Validation failed at line number 579 and position 23: The 'http://cyclonedx.org/schema/bom/1.5:id' element is invalid - The value 'Kazlib' is invalid according to its datatype 'http://cyclonedx.org/schema/spdx:licenseId' - The Enumeration constraint failed.

Looking at the spec for licenseId I see that Kazlib is a valid enumeration value: https://cyclonedx.org/schema/spdx

Therefore I believe there might be a bug here.

I am using cyclonedx-cli version 0.25.0

DavidJuanes avatar Sep 25 '23 15:09 DavidJuanes

Manually removing Kazlilb license entries in the SBOM fixes the issue; SBOM is successfully validated.

DavidJuanes avatar Sep 25 '23 15:09 DavidJuanes

Similar issue found for licenseId libutil-David-Nugent

DavidJuanes avatar Sep 25 '23 15:09 DavidJuanes

I think one would need to update the schema here: https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/src/CycloneDX.Core/Schemas/spdx.xsd and then use the new version of the cyclonedx-dotnet-library.

andreas-hilti avatar Oct 01 '23 11:10 andreas-hilti

The spdx schema in the library was updated with 0.25.1. Please let me know if there is still an issue.

mtsfoni avatar May 22 '24 19:05 mtsfoni