Failed to load JSON 1.4 format

[pombredanne]

A license was found in some CDX 1.4 doc with this data:

"licenses":[{}]

This makes the validation fail and the doc does not load.
This is another example where we should be able to load the document, normalize and report a warning but not fail entirely.

NB: this is a document produced by some proprietary tool that I do not control.

@tomd ping

[jkowalleck]

hould be able to load the document, normalize and report a warning but not fail entirely.

Why do you think so?
Your case is invalid input and should not load at all.

The following JSON would be schema invalid:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:47381185-339e-4087-a118-ef1d8e6e1d3f",
  "version": 1337,
  "components": [
    {
      "type": "library",
      "name": "regression for issue #610",
      "externalReferences": [
        {
          "type": "other",
          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues/610"
        }
      ],
      "licenses": [{}]
    }
  ]
}

[pombredanne]

@jkowalleck I get that this is schema invalid, but there are tools (not mine) that create such data.

I think that the library should accept "almost" valid docs as they are seen in the wild. If it cannot, then this is mostly useless as not only it cannot process these documents, but also one cannot load them first to diagnose the issue.

And this kind of problems forces the users to create pre-processing code to fix things up, not a good thing IMHO and this is a disservice to this library.

Note that this issue is mostly the same as #600 : validating the data should be an option and should not be strict all the times.

[jkowalleck]

one cannot load them first to diagnose the issue.

Is that so? This library comes with a schema validator. Is it not able to detect this invalid document?

validating the data should be an option and should not be strict all the times.

this is not an issue of validating, but the fact that invalid data is not expected to work in no way. There is just no defined way to "load" invalid data. You could argue to have behavior A, others could argue to have behavior B - when there is just no correct behavior for this case in the first place.

PS: see https://cyclonedx-python-library.readthedocs.io/en/latest/examples.html#complex-deserialize for an example of deserialization after successful validation.

[pombredanne]

So basically some CDX will not be loadable by this library short of writing an external wrapper.

[jkowalleck]

So basically some CDX will not be loadable

This library is responsible for loading all VALID CycloneDX.
This goal is not reached yet. see #581 & #578 & #537