-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOM does not validate #5186
Comments
Instead of using <?php
function libxml_display_error($error)
{
$return = "<br/>\n";
switch ($error->level) {
case LIBXML_ERR_WARNING:
$return .= "<b>Warning $error->code</b>: ";
break;
case LIBXML_ERR_ERROR:
$return .= "<b>Error $error->code</b>: ";
break;
case LIBXML_ERR_FATAL:
$return .= "<b>Fatal Error $error->code</b>: ";
break;
}
$return .= trim($error->message);
if ($error->file) {
$return .= " in <b>$error->file</b>";
}
$return .= " on line <b>$error->line</b>\n";
return $return;
}
function libxml_display_errors() {
$errors = libxml_get_errors();
foreach ($errors as $error) {
print libxml_display_error($error);
}
libxml_clear_errors();
}
libxml_use_internal_errors(true);
$xml = new DOMDocument();
$xml->load('phpunit-10.0.7-sbom.xml');
if (!$xml->schemaValidate('bom-1.4.xsd')) {
print '<b>DOMDocument::schemaValidate() Generated Errors!</b>';
libxml_display_errors();
} Where :
Script execution gave me :
|
https://cyclonedx.org/schema/bom/1.4 is what we reference in the generated XML. |
Ok got it ! With cyclonedx-cli validate command. Version is not auto-detected, so specify it and you'll get error : easy to fix then !
|
Replace https://github.com/sebastianbergmann/phpunit/blob/main/build/scripts/phar-manifest.php#L54 (https) by (http) |
This sounds like an issue with their validator: why do they refuse HTTPS and want HTTP? Sounds silly to me. |
Agree with you ! |
Official specification use http protocol |
Is |
They decided (CycloneDX) to use only (at date of today) |
I get that. But is this the only reason why PHPUnit's SBOM does not validate? |
Yes. I've just re-checked at least with PHPUnit 10.0.7 PHAR by their own validator :
|
Thank you! |
@sebastianbergmann @llaville I feel obliged to point out that in the So no, it's not silly at all, using HTTPS instead of HTTP is in fact a big mistake 😄 EDIT: To strengthen the concept above, the "URL" you get out of it does not necessarily point to anything, it can be a 404 or a non-existing subdomain or anything. You are not meant to use it as an URL at all. |
@thg2k Thank you for clarifying, and sorry for using the word "silly". |
Reported by @llaville in box-project/box#841 (comment).
The text was updated successfully, but these errors were encountered: