You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When processing an SBOM, let's leverage json.match_schema to ensure the provided SBOM adheres to the expected schema.
We should do this when processing either CycloneDX or SPDX SBOMs.
Care must be taken regarding which version of the schema to be used. Consider creating a list of allowed versions and validating accordingly.
NOTE: In some cases, the schema is more lax than we'd like. For example, we have policy rules that ensure a CycloneDX SBOM provides a non-empty list of components. However, the schema does not enforce this.
Acceptance Criteria
SBOMs are verified against the expected JSON schema.
The text was updated successfully, but these errors were encountered:
NOTE: After creating this story, I added some support for schema validation of CycloneDX SBOMs. It currently hard codes the version 1.5. This means that if an older version is used, or a newer one(!) , then the policy rule will cause a violation. This is ok for our current use cases, but ideally, we want to allow policy config authors to specify which schema version to check against. I'll leave this story as is to fulfill that purpose.
When processing an SBOM, let's leverage json.match_schema to ensure the provided SBOM adheres to the expected schema.
We should do this when processing either CycloneDX or SPDX SBOMs.
Care must be taken regarding which version of the schema to be used. Consider creating a list of allowed versions and validating accordingly.
NOTE: In some cases, the schema is more lax than we'd like. For example, we have policy rules that ensure a CycloneDX SBOM provides a non-empty list of components. However, the schema does not enforce this.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: