Use json schema validation when processing SBOMs #808
Comments
|
NOTE: After creating this story, I added some support for schema validation of CycloneDX SBOMs. It currently hard codes the version 1.5. This means that if an older version is used, or a newer one(!) , then the policy rule will cause a violation. This is ok for our current use cases, but ideally, we want to allow policy config authors to specify which schema version to check against. I'll leave this story as is to fulfill that purpose. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When processing an SBOM, let's leverage json.match_schema to ensure the provided SBOM adheres to the expected schema.
We should do this when processing either CycloneDX or SPDX SBOMs.
Care must be taken regarding which version of the schema to be used. Consider creating a list of allowed versions and validating accordingly.
NOTE: In some cases, the schema is more lax than we'd like. For example, we have policy rules that ensure a CycloneDX SBOM provides a non-empty list of components. However, the schema does not enforce this.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: