Open
Description
Example
import json
from cyclonedx.model.bom import Bom
from cyclonedx.validation.json import JsonStrictValidator
from cyclonedx.schema import OutputFormat, SchemaVersion
specification = {
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:835142d8-05ce-4729-bcb9-ff39cb67eb37",
"version": 1,
"metadata": {
"timestamp": "2025-03-10T17:25:47Z",
"tools": {
"services": [
{
"provider": {
"name": "Example",
"url": [
"https://example.com/"
],
"bom-ref": "Example"
},
"name": "Example",
}
]
},
"properties": []
}
}
validator = JsonStrictValidator(SchemaVersion.V1_6)
if validator.validate_str(json.dumps(specification)) is not None:
raise Exception("Validation failed")
Bom.from_json(specification) # raises an errorThe error that Bom.from_json throws is ValueError: Unexpected key bom-ref/bom-ref in data being serialized to cyclonedx.model.contact.OrganizationalEntity
Cause
I believe OrganizationEntity is missing the attribute bom_ref. It seems that the schema includes it, so the example specification above is correct: https://cyclonedx.org/docs/1.6/xml/#type_organizationalEntity
Fix
Adding bom_ref to OrganizationalEntity should resolve the issue. The attribute should be attached to the bom-ref key, similar to the class cyclonedx.model.contact.PostalAddress.
Environment
I ran into the error using python 3.10.12 and also in 3.13.2. I used version 9.1.0 of the package cyclonedx-python-lib. Hashes:
files = [
{file = "cyclonedx_python_lib-9.1.0-py3-none-any.whl", hash = "sha256:55693fca8edaecc3363b24af14e82cc6e659eb1e8353e58b587c42652ce0fb52"},
{file = "cyclonedx_python_lib-9.1.0.tar.gz", hash = "sha256:86935f2c88a7b47a529b93c724dbd3e903bc573f6f8bd977628a7ca1b5dadea1"},
]