Examples

Complex Serialize

# This file is part of CycloneDX Python Library
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) OWASP Foundation. All Rights Reserved.

import sys
from typing import TYPE_CHECKING

from packageurl import PackageURL

from cyclonedx.contrib.license.factories import LicenseFactory
from cyclonedx.contrib.this.builders import this_component as cdx_lib_component
from cyclonedx.exception import MissingOptionalDependencyException
from cyclonedx.model import XsUri
from cyclonedx.model.bom import Bom
from cyclonedx.model.component import Component, ComponentType
from cyclonedx.model.contact import OrganizationalEntity
from cyclonedx.output import make_outputter
from cyclonedx.output.json import JsonV1Dot5
from cyclonedx.schema import OutputFormat, SchemaVersion
from cyclonedx.validation import make_schemabased_validator
from cyclonedx.validation.json import JsonStrictValidator

if TYPE_CHECKING:
    from cyclonedx.output.json import Json as JsonOutputter
    from cyclonedx.output.xml import Xml as XmlOutputter
    from cyclonedx.validation.xml import XmlValidator


lc_factory = LicenseFactory()

# region build the BOM

bom = Bom()
bom.metadata.tools.components.add(cdx_lib_component())
bom.metadata.tools.components.add(Component(
    name='my-own-SBOM-generator',
    type=ComponentType.APPLICATION,
))

bom.metadata.component = root_component = Component(
    name='myApp',
    type=ComponentType.APPLICATION,
    licenses=[lc_factory.make_from_string('MIT')],
    bom_ref='myApp',
)

component1 = Component(
    type=ComponentType.LIBRARY,
    name='some-component',
    group='acme',
    version='1.33.7-beta.1',
    licenses=[lc_factory.make_from_string('(c) 2021 Acme inc.')],
    supplier=OrganizationalEntity(
        name='Acme Inc',
        urls=[XsUri('https://www.acme.org')]
    ),
    bom_ref='myComponent@1.33.7-beta.1',
    purl=PackageURL('generic', 'acme', 'some-component', '1.33.7-beta.1')
)
bom.components.add(component1)
bom.register_dependency(root_component, [component1])

component2 = Component(
    type=ComponentType.LIBRARY,
    name='some-library',
    licenses=[lc_factory.make_from_string('GPL-3.0-only WITH Classpath-exception-2.0')]
)
bom.components.add(component2)
bom.register_dependency(component1, [component2])

# endregion build the BOM

# region JSON
"""demo with explicit instructions for SchemaVersion, outputter and validator"""

my_json_outputter: 'JsonOutputter' = JsonV1Dot5(bom)
serialized_json = my_json_outputter.output_as_string(indent=2)
print(serialized_json)
my_json_validator = JsonStrictValidator(SchemaVersion.V1_7)
try:
    json_validation_errors = my_json_validator.validate_str(serialized_json)
    if json_validation_errors:
        print('JSON invalid', 'ValidationError:', repr(json_validation_errors), sep='\n', file=sys.stderr)
        sys.exit(2)
    print('JSON valid')
except MissingOptionalDependencyException as error:
    print('JSON-validation was skipped due to', error)

# endregion JSON

print('', '=' * 30, '', sep='\n')

# region XML
"""demo with implicit instructions for SchemaVersion, outputter and validator. TypeCheckers will catch errors."""

my_xml_outputter: 'XmlOutputter' = make_outputter(bom, OutputFormat.XML, SchemaVersion.V1_7)
serialized_xml = my_xml_outputter.output_as_string(indent=2)
print(serialized_xml)
my_xml_validator: 'XmlValidator' = make_schemabased_validator(
    my_xml_outputter.output_format, my_xml_outputter.schema_version)
try:
    xml_validation_errors = my_xml_validator.validate_str(serialized_xml)
    if xml_validation_errors:
        print('XML invalid', 'ValidationError:', repr(xml_validation_errors), sep='\n', file=sys.stderr)
        sys.exit(2)
    print('XML valid')
except MissingOptionalDependencyException as error:
    print('XML-validation was skipped due to', error)

# endregion XML

Complex Deserialize

# This file is part of CycloneDX Python Library
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) OWASP Foundation. All Rights Reserved.

import sys
import warnings
from json import loads as json_loads
from typing import TYPE_CHECKING

from defusedxml import ElementTree as SafeElementTree  # type:ignore[import-untyped]

from cyclonedx.exception import MissingOptionalDependencyException
from cyclonedx.model.bom import Bom
from cyclonedx.schema import OutputFormat, SchemaVersion
from cyclonedx.schema.deprecation import BaseSchemaDeprecationWarning
from cyclonedx.validation import make_schemabased_validator
from cyclonedx.validation.json import JsonStrictValidator

if TYPE_CHECKING:
    from cyclonedx.validation.xml import XmlValidator

# region JSON

json_data = """{
  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:88fabcfa-7529-4ba2-8256-29bec0c03900",
  "version": 1,
  "metadata": {
    "timestamp": "2024-02-10T21:38:53.313120+00:00",
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "cyclonedx-python-lib",
        "version": "6.4.1",
        "externalReferences": [
          {
            "type": "build-system",
            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
          },
          {
            "type": "distribution",
            "url": "https://pypi.org/project/cyclonedx-python-lib/"
          },
          {
            "type": "documentation",
            "url": "https://cyclonedx-python-library.readthedocs.io/"
          },
          {
            "type": "issue-tracker",
            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
          },
          {
            "type": "license",
            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
          },
          {
            "type": "release-notes",
            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
          },
          {
            "type": "vcs",
            "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
          },
          {
            "type": "website",
            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
          }
        ]
      }
    ],
    "component": {
      "bom-ref": "myApp",
      "name": "myApp",
      "type": "application",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "myComponent@1.33.7-beta.1",
      "type": "library",
      "group": "acme",
      "name": "some-component",
      "version": "1.33.7-beta.1",
      "purl": "pkg:generic/acme/some-component@1.33.7-beta.1",
      "licenses": [
        {
          "license": {
            "name": "(c) 2021 Acme inc."
          }
        }
      ],
      "supplier": {
        "name": "Acme Inc",
        "url": [
          "https://www.acme.org"
        ]
      }
    },
    {
      "bom-ref": "some-lib",
      "type": "library",
      "name": "some-library",
      "licenses": [
        {
          "expression": "GPL-3.0-only WITH Classpath-exception-2.0"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "some-lib"
    },
    {
      "dependsOn": [
        "myComponent@1.33.7-beta.1"
      ],
      "ref": "myApp"
    },
    {
      "dependsOn": [
        "some-lib"
      ],
      "ref": "myComponent@1.33.7-beta.1"
    }
  ]
}"""
my_json_validator = JsonStrictValidator(SchemaVersion.V1_7)
try:
    json_validation_errors = my_json_validator.validate_str(json_data)
    if json_validation_errors:
        print('JSON invalid', 'ValidationError:', repr(json_validation_errors), sep='\n', file=sys.stderr)
        sys.exit(2)
    print('JSON valid')
except MissingOptionalDependencyException as error:
    print('JSON-validation was skipped due to', error)
with warnings.catch_warnings():
    warnings.filterwarnings('ignore', category=BaseSchemaDeprecationWarning)
    bom_from_json = Bom.from_json(  # type: ignore[attr-defined]
        json_loads(json_data))
print('bom_from_json', repr(bom_from_json))

# endregion JSON

print('', '=' * 30, '', sep='\n')

# endregion XML

xml_data = """<?xml version="1.0" ?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
  serialNumber="urn:uuid:88fabcfa-7529-4ba2-8256-29bec0c03900"
  version="1"
>
  <metadata>
    <timestamp>2024-02-10T21:38:53.313120+00:00</timestamp>
    <tools>
      <tool>
        <vendor>CycloneDX</vendor>
        <name>cyclonedx-python-lib</name>
        <version>6.4.1</version>
        <externalReferences>
          <reference type="build-system">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
          </reference>
          <reference type="distribution">
            <url>https://pypi.org/project/cyclonedx-python-lib/</url>
          </reference>
          <reference type="documentation">
            <url>https://cyclonedx-python-library.readthedocs.io/</url>
          </reference>
          <reference type="issue-tracker">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
          </reference>
          <reference type="license">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
          </reference>
          <reference type="release-notes">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
          </reference>
          <reference type="vcs">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
          </reference>
          <reference type="website">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
          </reference>
        </externalReferences>
      </tool>
    </tools>
    <component type="application" bom-ref="myApp">
      <name>myApp</name>
      <licenses>
        <license>
          <id>MIT</id>
        </license>
      </licenses>
    </component>
  </metadata>
  <components>
    <component type="library" bom-ref="myComponent@1.33.7-beta.1">
      <supplier>
        <name>Acme Inc</name>
        <url>https://www.acme.org</url>
      </supplier>
      <group>acme</group>
      <name>some-component</name>
      <version>1.33.7-beta.1</version>
      <licenses>
        <license>
          <name>(c) 2021 Acme inc.</name>
        </license>
      </licenses>
      <purl>pkg:generic/acme/some-component@1.33.7-beta.1</purl>
    </component>
    <component type="library" bom-ref="some-lib">
      <name>some-library</name>
      <licenses>
        <expression>GPL-3.0-only WITH Classpath-exception-2.0</expression>
      </licenses>
    </component>
  </components>
  <dependencies>
    <dependency ref="some-lib"/>
    <dependency ref="myApp">
      <dependency ref="myComponent@1.33.7-beta.1"/>
    </dependency>
    <dependency ref="myComponent@1.33.7-beta.1">
      <dependency ref="some-lib"/>
    </dependency>
  </dependencies>
</bom>"""
my_xml_validator: 'XmlValidator' = make_schemabased_validator(OutputFormat.XML, SchemaVersion.V1_7)
try:
    xml_validation_errors = my_xml_validator.validate_str(xml_data)
    if xml_validation_errors:
        print('XML invalid', 'ValidationError:', repr(xml_validation_errors), sep='\n', file=sys.stderr)
        sys.exit(2)
    print('XML valid')
except MissingOptionalDependencyException as error:
    print('XML-validation was skipped due to', error)
with warnings.catch_warnings():
    warnings.filterwarnings('ignore', category=BaseSchemaDeprecationWarning)
    bom_from_xml = Bom.from_xml(  # type: ignore[attr-defined]
        SafeElementTree.fromstring(xml_data))
print('bom_from_xml', repr(bom_from_xml))

# endregion XML

print('', '=' * 30, '', sep='\n')

print('assert bom_from_json equals bom_from_xml')
assert bom_from_json == bom_from_xml, 'expected to have equal BOMs from JSON and XML'

Complex Validation

# This file is part of CycloneDX Python Library
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) OWASP Foundation. All Rights Reserved.

import json
import sys
from typing import TYPE_CHECKING, Optional

from cyclonedx.exception import MissingOptionalDependencyException
from cyclonedx.schema import OutputFormat, SchemaVersion
from cyclonedx.validation import make_schemabased_validator
from cyclonedx.validation.json import JsonValidationError

if TYPE_CHECKING:
    from cyclonedx.validation.json import JsonValidator
    from cyclonedx.validation.xml import XmlValidator

"""
This example demonstrates how to validate CycloneDX documents (both JSON and XML).
Make sure to have the needed dependencies installed - install the library's extra 'validation' for that.
"""

# region Sample SBOMs

JSON_SBOM = """
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
    "component": {
      "type": "application",
      "name": "my-app",
      "version": "1.0.0"
    }
  },
  "components": []
}
"""

XML_SBOM = """<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5" version="1">
  <metadata>
    <component type="application">
      <name>my-app</name>
      <version>1.0.0</version>
    </component>
  </metadata>
</bom>
"""

INVALID_JSON_SBOM = """
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "metadata": {
    "component": {
      "type": "invalid-type",
      "name": "my-app"
    }
  }
}
"""
# endregion Sample SBOMs


# region JSON Validation

print('--- JSON Validation ---')

# Create a JSON validator for a specific schema version
json_validator: 'JsonValidator' = make_schemabased_validator(OutputFormat.JSON, SchemaVersion.V1_5)

# 1. Validate valid SBOM
try:
    validation_error = json_validator.validate_str(JSON_SBOM)
except MissingOptionalDependencyException as error:
    print('JSON validation was skipped:', error)
else:
    if validation_error:
        print('JSON SBOM is unexpectedly invalid!', file=sys.stderr)
    else:
        print('JSON SBOM is valid')

    # 2. Validate invalid SBOM and inspect details
    print('\nChecking invalid JSON SBOM...')
    try:
        validation_error = json_validator.validate_str(INVALID_JSON_SBOM)
    except MissingOptionalDependencyException as error:
        print('JSON validation was skipped:', error)
    else:
        if validation_error:
            if not isinstance(validation_error, JsonValidationError):
                raise TypeError('Expected a single JSON validation error')
            print('Validation failed as expected.')
            print(f'Error Message: {validation_error.data.message}')
            print(f'JSON Path:     {validation_error.data.json_path}')
            print(f'Invalid Data:  {validation_error.data.instance}')

# endregion JSON Validation


print('\n' + '=' * 30 + '\n')


# region XML Validation

print('--- XML Validation ---')

xml_validator: 'XmlValidator' = make_schemabased_validator(OutputFormat.XML, SchemaVersion.V1_5)

try:
    xml_validation_errors = xml_validator.validate_str(XML_SBOM)
    if xml_validation_errors:
        print('XML SBOM is invalid!', file=sys.stderr)
    else:
        print('XML SBOM is valid')
except MissingOptionalDependencyException as error:
    print('XML validation was skipped:', error)

# endregion XML Validation


print('\n' + '=' * 30 + '\n')


# region Dynamic version detection

print('--- Dynamic Validation ---')


def _detect_json_format(raw_data: str) -> Optional[tuple[OutputFormat, SchemaVersion]]:
    """Detect JSON format and extract schema version."""
    try:
        data = json.loads(raw_data)
    except json.JSONDecodeError:
        return None

    spec_version_str = data.get('specVersion')
    try:
        schema_version = SchemaVersion.from_version(spec_version_str)
    except Exception:
        print('failed to detect schema_version from', repr(spec_version_str), file=sys.stderr)
        return None
    return (OutputFormat.JSON, schema_version)


def _detect_xml_format(raw_data: str) -> Optional[tuple[OutputFormat, SchemaVersion]]:
    try:
        from lxml import etree  # type: ignore[import-untyped]
    except ImportError:
        return None

    try:
        xml_tree = etree.fromstring(raw_data.encode('utf-8'))
    except etree.XMLSyntaxError:
        return None

    for ns in xml_tree.nsmap.values():
        if ns and ns.startswith('http://cyclonedx.org/schema/bom/'):
            version_str = ns.split('/')[-1]
            try:
                return (OutputFormat.XML, SchemaVersion.from_version(version_str))
            except Exception:
                print('failed to detect schema_version from namespace', repr(ns), file=sys.stderr)
                return None

    print('failed to detect CycloneDX namespace in XML document', file=sys.stderr)
    return None


def validate_sbom(raw_data: str) -> bool:
    """Validate an SBOM by detecting its format and version."""
    # Detect format and version
    format_info = _detect_json_format(raw_data) or _detect_xml_format(raw_data)
    if not format_info:
        return False

    input_format, schema_version = format_info
    try:
        validator = make_schemabased_validator(input_format, schema_version)
        errors = validator.validate_str(raw_data)
        if errors:
            print(f'Validation failed ({input_format.name} {schema_version.to_version()}): {errors}',
                  file=sys.stderr)
            return False
        print(f'Valid {input_format.name} SBOM (schema {schema_version.to_version()})')
        return True
    except MissingOptionalDependencyException as e:
        print(f'Validation skipped (missing dependencies): {e}')
        return False


# Execute dynamic validation
validate_sbom(JSON_SBOM)
validate_sbom(XML_SBOM)

# endregion Dynamic version detection