XML serialization of components with authors results in invalid CycloneDX SBOM #638

MarcelBochtler · 2025-05-06T12:26:01Z

When using cyclonedx-core-java to write a CycloneDX SBOM as an XML, the resulting SBOM is invalid.

Expected:

  <components>
    <component type="library" bom-ref="Maven:me.xdrop:fuzzywuzzy:1.4.0">
      <authors>
        <author>
          <name>Panayiotis P</name>
        </author>
      </authors>
    </component>
  </components>

Actual:

  <components>
    <component type="library" bom-ref="Maven:me.xdrop:fuzzywuzzy:1.4.0">
      <authors>
        <authors>
          <name>Panayiotis P</name>
        </authors>
      </authors>
    </component>
  </components>

Note the plural of authors in the nested tag.

The spec, and also the cyclonedx-cli show that the nested block should be author instead of authors.

We discovered this when generating CycloneDX reports using ORT, which uses cyclonedx-core-java.
In ORT I wrote a test to reproduce this issue: oss-review-toolkit/ort#10271.

The text was updated successfully, but these errors were encountered:

This test is currently expected to fail due to a bug in the cyclonedx-core-java [1]. [1]: CycloneDX/cyclonedx-core-java#638 Signed-off-by: Marcel Bochtler <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XML serialization of components with authors results in invalid CycloneDX SBOM #638

XML serialization of components with authors results in invalid CycloneDX SBOM #638

MarcelBochtler commented May 6, 2025

XML serialization of components with authors results in invalid CycloneDX SBOM #638

XML serialization of components with authors results in invalid CycloneDX SBOM #638

Comments

MarcelBochtler commented May 6, 2025