Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM does not validate #5186

Closed
sebastianbergmann opened this issue Feb 9, 2023 · 14 comments
Closed

SBOM does not validate #5186

sebastianbergmann opened this issue Feb 9, 2023 · 14 comments
Assignees
@sebastianbergmann
Labels
installation/phar type/bug Something is broken

Comments

@sebastianbergmann
Copy link
Owner

sebastianbergmann commented Feb 9, 2023
edited

Reported by @llaville in box-project/box#841 (comment).
@sebastianbergmann sebastianbergmann mentioned this issue Feb 9, 2023
Closed
@llaville
Copy link

llaville commented Feb 9, 2023

Instead of using xmllint I've used DOMDocument::schemaValidate user script.

<?php

function libxml_display_error($error)
{
    $return = "<br/>\n";
    switch ($error->level) {
        case LIBXML_ERR_WARNING:
            $return .= "<b>Warning $error->code</b>: ";
            break;
        case LIBXML_ERR_ERROR:
            $return .= "<b>Error $error->code</b>: ";
            break;
        case LIBXML_ERR_FATAL:
            $return .= "<b>Fatal Error $error->code</b>: ";
            break;
    }
    $return .= trim($error->message);
    if ($error->file) {
        $return .=    " in <b>$error->file</b>";
    }
    $return .= " on line <b>$error->line</b>\n";

    return $return;
}

function libxml_display_errors() {
    $errors = libxml_get_errors();
    foreach ($errors as $error) {
        print libxml_display_error($error);
    }
    libxml_clear_errors();
}

libxml_use_internal_errors(true);

$xml = new DOMDocument();
$xml->load('phpunit-10.0.7-sbom.xml');

if (!$xml->schemaValidate('bom-1.4.xsd')) {
    print '<b>DOMDocument::schemaValidate() Generated Errors!</b>';
    libxml_display_errors();
}

Where :

Script execution gave me :

<b>DOMDocument::schemaValidate() Generated Errors!</b><br/>
<b>Error 1845</b>: Element '{https://cyclonedx.org/schema/bom/1.4}bom': No matching global declaration available for the validation root. in <b>/shared/backups/bartlett/box-manifest/phpunit-10.0.7-sbom.xml</b> on line <b>2</b>

@sebastianbergmann
Copy link
Owner Author

https://cyclonedx.org/schema/bom/1.4 is what we reference in the generated XML.

@llaville
Copy link

llaville commented Feb 9, 2023

Ok got it ! With cyclonedx-cli validate command. Version is not auto-detected, so specify it and you'll get error : easy to fix then !

docker run --rm --user $(id -u):$(id -g) --mount type=bind,source=$PWD,target=/tmp -w /tmp cyclonedx/cyclonedx-cli validate --input-file phpunit-10.0.7-sbom.xml --input-version v1_4
Validating XML BOM...
Invalid namespace URI: expected http://cyclonedx.org/schema/bom/1.4 actual https://cyclonedx.org/schema/bom/1.4
BOM is not valid.

@llaville
Copy link

llaville commented Feb 9, 2023

Replace https://github.com/sebastianbergmann/phpunit/blob/main/build/scripts/phar-manifest.php#L54 (https) by (http)

@sebastianbergmann
Copy link
Owner Author

This sounds like an issue with their validator: why do they refuse HTTPS and want HTTP? Sounds silly to me.

@llaville
Copy link

llaville commented Feb 9, 2023

Agree with you !

@llaville
Copy link

llaville commented Feb 9, 2023

Official specification use http protocol
https://cyclonedx.org/docs/1.4/xml/
So unless they choose to use https protocol, I suppose anybody that want to implement their format should follow their specs.

@sebastianbergmann
Copy link
Owner Author

Is https instead of http really the only issue here?

@llaville
Copy link

They decided (CycloneDX) to use only (at date of today) http protocol for their specifications. So if you use https, your results won't be validated.

@sebastianbergmann
Copy link
Owner Author

I get that. But is this the only reason why PHPUnit's SBOM does not validate?

@llaville
Copy link

Yes. I've just re-checked at least with PHPUnit 10.0.7 PHAR by their own validator :

docker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw cyclonedx/cyclonedx-cli validate --input-file /app/sbom.xml --input-version v1_4

@sebastianbergmann
Copy link
Owner Author

Thank you!

@sebastianbergmann sebastianbergmann self-assigned this Feb 25, 2023
@thg2k
Copy link

thg2k commented Mar 2, 2023
edited

This sounds like an issue with their validator: why do they refuse HTTPS and want HTTP? Sounds silly to me.

@sebastianbergmann @llaville I feel obliged to point out that in the xmlns is an URI, not an URL. The XML spec mandates that the xmlns is to be taken as a literal string, so you have to think the same way of an hash or and uuid. In fact, it can as well be an uuid (under the "urn" schema). The reason why they look like URLs is purely a best-practice, so that they have some meaningful content for the humans and are supposedly world-wide unique (as you are supposed to own the domain you choose in there).

So no, it's not silly at all, using HTTPS instead of HTTP is in fact a big mistake 😄

EDIT: To strengthen the concept above, the "URL" you get out of it does not necessarily point to anything, it can be a 404 or a non-existing subdomain or anything. You are not meant to use it as an URL at all.

@sebastianbergmann
Copy link
Owner Author

@thg2k Thank you for clarifying, and sorry for using the word "silly".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sebastianbergmann sebastianbergmann

Labels
installation/phar type/bug Something is broken
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sebastianbergmann @thg2k @llaville