fix: invalid serialization when multiple licenses added to metadata or a component #366
Conversation
Signed-off-by: Paul Horton <[email protected]>
Signed-off-by: Paul Horton <[email protected]>
Signed-off-by: Paul Horton <[email protected]>
… serialization BREAKING CHANGE: Models changed to resolve #365 Signed-off-by: Paul Horton <[email protected]>
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| from lxml.etree import DocumentInvalid | ||
| from xmldiff import main | ||
| from xmldiff.actions import MoveNode | ||
| from lxml import etree # type: ignore |
There was a problem hiding this comment.
B410: Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
❗❗ 2 similar findings have been found in this PR
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| tests/base.py | 31 |
| tests/test_e2e_environment.py | 24 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Help us improve LIFT! (Sonatype LiftBot external survey)
Was this a good recommendation for you? Answering this survey will not impact your Lift settings.
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -692,11 +692,11 @@ def _validate_xml_bom(self, bom: Bom, schema_version: SchemaVersion, fixture: st | |||
| if schema_version != LATEST_SUPPORTED_SCHEMA_VERSION: | |||
| # Rewind the BOM to only have data supported by the SchemaVersion in question | |||
| outputter = get_instance(bom=bom, output_format=OutputFormat.XML, schema_version=schema_version) | |||
| bom = cast(Bom, Bom.from_xml(data=ElementTree.fromstring(outputter.output_as_string()))) | |||
| bom = cast(Bom, Bom.from_xml(data=ElementTree.fromstring(outputter.output_as_string()))) # type: ignore | |||
There was a problem hiding this comment.
B314: Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
❗❗ 2 similar findings have been found in this PR
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| tests/test_deserialize_xml.py | 699 |
| tests/test_real_world_examples.py | 50 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Help us improve LIFT! (Sonatype LiftBot external survey)
Was this a good recommendation for you? Answering this survey will not impact your Lift settings.
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
already done |
Planned fix for #365.
The issue with serialization of Licenses is due to our current implementation which uses
LicenseChoiceobject which can either represent aLicenseor aLicenseExpression.With the new serialization (introduced in
4.0.0), this type of use case was not catered for.Possible options to resolve:
cyclonedx-python-libto avoid the uses ofLicenseChoiceas is currently implemented@jkowalleck - any thoughts or suggestions?