-
-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Schema-invalid serialized result when multiple licenses #365
Comments
Confirmed this impacts JSON and XML serialization. |
After some [internal] discussions with CycloneDX folks, we agree that the current Pythonic Model (use of Definitions such as:
are incorrect as it allows users of the model to supply a set with more than 1 License Expression - which is invalid according to CycloneDX Spec v1.4. Syntactically, the above definition should more accurately be defined as:
FYI @jkowalleck |
… serialization BREAKING CHANGE: Models changed to resolve #365 Signed-off-by: Paul Horton <[email protected]>
After further investigation, the challenge associated with serialization for JSON XML |
re: #365 (comment) anyway, @madpah , could you open an issue/discussion in https://github.com/CycloneDX/specification/ ? |
@madpah , i think the following is a forgiving deserializing (since a mix of expression and licenses was possible in spec<=1.4)
Result:
PS: here is an example implementation i drafted for TypeScript - https://github.com/CycloneDX/cyclonedx-javascript-library/blob/a43f5f1c61945b4479f3ead79d05de1db36a63f1/src/serialize/xml/normalize.ts#L488-L503 |
hey, @jkowalleck and @madpah any update on this? I wanted to upgrade our project to use the latest version ,but this blocking me a bit. Any insights of potential fixes or recommendation on what to do with the multiple license case? |
I am looking into the proposed fixed. |
@madpah impossible to create a solution with the existing solution for serialization. We need custom (de)serialization here, as we had previously. |
bugfixing this might break things downstream. |
component
or metadata
has more than one license
Signed-off-by: Jan Kowalleck <[email protected]>
regression for issue #365 Signed-off-by: Jan Kowalleck <[email protected]>
with https://github.com/madpah/serializable/releases/tag/v0.13.0 |
implementation details:
|
will tackle this issue soon. |
breaking changes ------------------ * Reworked license related models and collections * API * Removed class `factory.license.LicenseChoiceFactory` The old functionality was integrated into `factory.license.LicenseFactory`. * Method `factory.license.LicenseFactory.make_from_string()`'s parameter `name_or_spdx` was renamed to `value` * Method `factory.license.LicenseFactory.make_from_string()`'s return value can also be a `LicenseExpression` The behavior imitates the old `factory.license.LicenseChoiceFactory.make_from_string()` * Renamed class `module.License` to `module.license.DisjunctliveLicense` * Removed class `module.LicenseChoice` Use dedicated classes `module.license.DisjunctliveLicense` and `module.license.LicenseExpression` instead * All occurrences of `models.LicenseChoice` were replaced by `models.licenses.License` * All occurrences of `SortedSet[LicenseChoice]` were specialized to `models.license.LicenseRepository` fixes ------------------ * serialization of multy-licenses #365 added ------------------ * API * Method `factory.license.LicenseFactory.make_with_expression()` * Class `model.license.DisjunctiveLicense` * Class `model.license.LicenseExpression` * Class `model.license.LicenseRepository` * Class `serialization.LicenseRepositoryHelper` tests ------------------ * added regression test for bug #365 misc ------------------ * raised dependency `py-serializable@^9.15` ---- fixes #365 ~~BLOCKED by a feature request to serializer: <https://github.com/madpah/serializable/pull/32>~~ --------- Signed-off-by: Jan Kowalleck <[email protected]>
solution is implemented and will be part up upcoming major version. |
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
for everybody willing to test the fix: see 5.0.0-rc.1 |
BREAKING CHANGES ---------------- * Dropped support for python<3.8 ([#436] via [#441]; enable [#433]) * Reworked license related models, collections, and factories ([#365] via [#466]) * Behavior * Method `model.bom.Bom.validate()` will throw `exception.LicenseExpressionAlongWithOthersException`, if detecting invalid license constellation ([#453] via [#452]) * Fixed tuple comparison when unequal lengths (via [#461]) * API * Enum `schema.SchemaVersion` is no longer string-like ([#442] via [#447]) * Enum `schema.OutputVersion` is no longer string-like ([#442] via [#447]) * Abstract class `output.BaseOutput` requires implementation of new method `output_format` ([#446] via [#447]) * Abstract method `output.BaseOutput.output_as_string()` got new optional parameter `indent` ([#437] via [#458]) * Abstract method `output.BaseOutput.output_as_string()` accepts arbitrary kwargs (via [#458], [#462]) * Removed class `factory.license.LicenseChoiceFactory` (via [#466]) The old functionality was integrated into `factory.license.LicenseFactory`. * Method `factory.license.LicenseFactory.make_from_string()`'s parameter `name_or_spdx` was renamed to `value` (via [#466]) * Method `factory.license.LicenseFactory.make_from_string()`'s return value can also be a `LicenseExpression` ([#365] via [#466]) The behavior imitates the old `factory.license.LicenseChoiceFactory.make_from_string()` * Renamed class `module.License` to `module.license.DisjunctliveLicense` ([#365] via [#466]) * Removed class `module.LicenseChoice` ([#365] via [#466]) Use dedicated classes `module.license.DisjunctliveLicense` and `module.license.LicenseExpression` instead * All occurrences of `models.LicenseChoice` were replaced by `models.licenses.License` ([#365] via [#466]) * All occurrences of `SortedSet[LicenseChoice]` were specialized to `models.license.LicenseRepository` ([#365] via [#466]) Fixed ---------------- * Serialization of multy-licenses ([#365] via [#466]) * Detect unused "dependent" components in `model.bom.validate()` (via [#464]) Changed ---------------- * Updated latest supported list of supported SPDX license identifiers (via [#433]) * Shipped schema files are moved to a protected space (via [#433]) These files were never intended for public use. * XML output uses a default namespace, which makes results smaller. ([#438] via [#458]) Added ---------------- * Support for Python 3.12 (via [#460]) * JSON- & XML-Validators ([#432], [#446] via [#433], [#448]) The functionality might require additional dependencies, that can be installed with the extra "validation". See the docs in section "Installation" for details. * JSON & XML can be generated in a more human-friendly form ([#437], [#438] via [#458]) * Type hints, typings & overloads for better integration downstream (via [#463]) * API * New function `output.make_outputter()` (via [#469]) This replaces the deprecated function `output.get_instance()`. * New sub-package `validation` ([#432], [#446] via [#433], [#448], [#469], [#468], [#469]) * New class `exception.MissingOptionalDependencyException` ([#432] via [#433]) * New class `exception.LicenseExpressionAlongWithOthersException` ([#453] via [#452]) * New dictionaries `output.{json,xml}.BY_SCHEMA_VERSION` ([#446] via [#447]) * Existing implementations of class `output.BaseOutput` now have a new method `output_format` ([#446] via [#447]) * Existing implementations of method `output.BaseOutput.output_as_string()` got new optional parameter `indent` ([#437] via [#458]) * Existing implementations of method `output.BaseOutput.output_to_file()` got new optional parameter `indent` ([#437] via [#458]) * New method `factory.license.LicenseFactory.make_with_expression()` (via [#466]) * New class `model.license.DisjunctiveLicense` ([#365] via [#466]) * New class `model.license.LicenseExpression` ([#365] via [#466]) * New class `model.license.LicenseRepository` ([#365] via [#466]) * New class `serialization.LicenseRepositoryHelper` ([#365] via [#466]) Deprecated ---------------- * Function `output.get_instance()` might be removed, use `output.make_outputter()` instead (via [#469]) Tests ---------------- * Added validation tests with official CycloneDX schema test data ([#432] via [#433]) * Use proper snapshots, instead of pseudo comparison ([#437] via [#464]) * Added regression test for bug [#365] (via [#466], [#467]) Misc ---------------- * Dependencies: bumped `py-serializable@^0.15.0`, was `@^0.11.1` (via [#458], [#463], [#464], [#466]) * Style: streamlined quotes and strings (via [#472]) * Chore: bumped internal dev- and QA-tools ([#436] via [#441], [#472]) * Chore: added more QA tools to prevent common security issues (via [#473]) [#432]: #432 [#433]: #433 [#436]: #436 [#437]: #437 [#365]: #365 [#438]: #438 [#440]: #440 [#441]: #441 [#442]: #442 [#446]: #446 [#447]: #447 [#448]: #448 [#452]: #452 [#453]: #453 [#458]: #458 [#460]: #460 [#461]: #461 [#462]: #462 [#463]: #463 [#464]: #464 [#466]: #466 [#467]: #467 [#468]: #468 [#469]: #469 [#472]: #472 [#473]: #473 --------- Signed-off-by: Jan Kowalleck <[email protected]> Signed-off-by: Jan Kowalleck <[email protected]> Signed-off-by: semantic-release <semantic-release> Co-authored-by: semantic-release <semantic-release>
fix available as of https://github.com/CycloneDX/cyclonedx-python-lib/releases/tag/v5.0.0 |
As of
cyclonedx-python-lib
4.0.0
there appears to be a serialization error when the provided (valid) Model has more than one license added.Example:
produces
Which is invalid as per the CycloneDX schema.
this CDX schema discrepancy was fixed via CycloneDX/specification#204
important for the fix:
#365 (comment)
The text was updated successfully, but these errors were encountered: