Invalid CycloneDX SHA1 algorithm #1001
Description
What happened:
The SBOM may contain an invalid algorithm name in .components[].externalReferences[].hashes[].alg.
The wrong value does not match the reference.
$ syft packages IMAGE -o cyclonedx-json=/tmp/bom.json
$ cyclonedx validate --input-file /tmp/bom.json
Unable to validate against any JSON schemas.
BOM is not valid.
# cyclone merge and convert commands give a pointer to the error
$ cyclone convert --input-file /tmp/bom.json ...
Unhandled exception: System.Text.Json.JsonException: The JSON value could not be converted to CycloneDX.Models.Hash+HashAlgorithm. Path: $.components[153].externalReferences[0].hashes[0].alg ...
$ jq ".components[153].externalReferences[].hashes[].alg" /tmp/bom.json
"sha1"What you expected to happen:
$ cyclonedx validate --input-file /tmp/bom.json
BOM validated successfully.How to reproduce it (as minimally and precisely as possible):
Use cyclonedx validate on a CycloneDX SBOM containing a sha1 alg.
Replacing the sha1 value with SHA-1 is fixing the issue.
Anything else we need to know?:
Environment:
- Output of
syft version:
Application: syft
Version: 0.46.0
JsonSchemaVersion: 3.2.3
BuildDate: 2022-05-12T16:12:28Z
GitCommit: 91e2fd8532254216a83c80891611751d0c8fba7b
GitDescription: v0.46.0
Platform: linux/amd64
GoVersion: go1.18.1
Compiler: gc
- OS (e.g:
cat /etc/os-releaseor similar):
Ubuntu 20.04.4 LTS