Comments (7)
jadamcrain
commented on May 29, 2024
The underlying problem here is that DateTime assumes that the format is ISO 8601:
However, for JSON schema, the format is actually RFC 3339 which is a constrained subset of ISO 8601.
We'll probably want to keep After looking at the code, the simplest solution is probably to parse ISO 8601, but emit RFC 3339. This emits something conservative that works with both XML and JSON, but parses either. The only consequence of this is that JSON won't strictly validate, but that's the case currently anyway.DateTime in a neutral format in the models and then use custom serialization for serde and do conversion to ISO 8601 in the XML writer.
If you agree, let me know and I'll try a PR.
from cyclonedx-rust-cargo.
lfrancke
commented on May 29, 2024
Thanks for binging this up and sorry for the slow response.
I can verify that the validation fails indeed. But having read RFC 3339 I don't see anything in there that limits the amount of fractional digits.
So, I believe that the JSON we produce is actually correct and some tools don't support RFC3339 fully. I might be mistaken though.
It seems as if we want to fix the validator instead?
For reference, here's what I did:
❯ cyclonedx-linux-x64 validate --input-file bom.json --input-version v1_4
Validating JSON BOM...
Validation failed: Value does not match format "date-time"
#/properties/metadata/$ref/properties/timestamp/format
On instance: #/metadata/timestamp:
2023-10-31T20:40:25.785466440Z
BOM is not valid.
This is version 0.25
from cyclonedx-rust-cargo.
lfrancke
commented on May 29, 2024
I have started a discussion in the CycloneDX Slack and I'll see if there are any results.
If not I'll close this issue as I'm relatively sure that this is not a bug here.
from cyclonedx-rust-cargo.
lfrancke
commented on May 29, 2024
I opened an issue in the .NET library which is used by the CLI. I'm going to close this issue as our JSON documents do indeed seem to be valid.
If you find any other validators that fail please let me know, I'm happy to reach out upstream and try to get them fixed as well.
from cyclonedx-rust-cargo.
jadamcrain
commented on May 29, 2024
Thanks for looking into this @lfrancke. It's been long enough that I don't remember how deep I went into RFC 3339 looking at formatting rules.
Entirely possible the validation is too strict.
from cyclonedx-rust-cargo.
lfrancke
commented on May 29, 2024
I looked into it again and technically we are doing something wrong I believe.
We use ISO 8601 when we should be using RFC 3339. I'll reopen this issue for now but we should probably open a new issue. Just so I don't forget.
from cyclonedx-rust-cargo.
lfrancke
commented on May 29, 2024
To be more precice: JSON requires RFC 3339, XML ISO 8601, yay
from cyclonedx-rust-cargo.
Related Issues (20)
- Download crates in parallel HOT 1
- Ship 0.4.0 HOT 1
- SBOM configuration via `Cargo.toml` appears harmful HOT 2
- Allow emitting SBOM for a specific platform
- Include information on dependency origin (crates.io, git, custom registry) HOT 1
- `bom-ref` field is not actually unique
- Allow selecting Cargo features: `--no-default-features`, `--all-features`, `--features=...`
- Reproducible SBOMs
- Include hashes for components HOT 2
- `cargo cyclonedx` v0.4.0 release checklist HOT 1
- Record the target platform in the SBOM
- Don't log non-fatal issues as errors
- Capture data only available during the build process HOT 3
- Add support for `cargo binstall` HOT 8
- Add a "-V" / "--version" flag to print the current version
- Make bom-ref use relative paths for workspace items as well HOT 6
- Provide an easy way to map an artifact to a SBOM
- Present `cargo metadata` output to the user even when there are no errors
- Use a license id or name instead of an expression if there is only one license
- Support `license-file`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-rust-cargo.