grype/schema/cyclonedx/README.md

# CycloneDX Schemas

`grype` generates a CycloneDX output. This validation is similar to what is done in `syft`, validating output against CycloneDX schemas.

Validation is done with `xmllint`, which requires a copy of all schemas because it can't work with HTTP references. The schemas are modified to reference local copies of dependent schemas.

## Updating

You will need to go to https://github.com/CycloneDX/specification/blob/1.5/schema and download the latest `bom-#.#.xsd` and `spdx.xsd`.

Additionally, for `xmllint` to function you will need to patch the bom schema with the location to the SPDX schema by changing:

```xml
<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
```

To:
```xml
<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
```
tests: add cyclonedx schema check Signed-off-by: Alfredo Deza <adeza@anchore.com> 2020-09-16 14:50:57 +00:00			`# CycloneDX Schemas`

feat: swap custom cyclone-dx model for cyclone-dx library (#1038) grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities. For more context on impacted issues: https://github.com/anchore/grype/issues/796 https://github.com/anchore/grype/issues/951 2022-12-22 16:35:09 +00:00			`grype` generates a CycloneDX output. This validation is similar to what is done in `syft`, validating output against CycloneDX schemas.
tests: add cyclonedx schema check Signed-off-by: Alfredo Deza <adeza@anchore.com> 2020-09-16 14:50:57 +00:00
			Validation is done with `xmllint`, which requires a copy of all schemas because it can't work with HTTP references. The schemas are modified to reference local copies of dependent schemas.
Upgrade syft to v0.91.0 (#1508) * bump syft to main Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update cyclonedx schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * allow for pkg type exceptions for github actions and workflows Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update cyclonedx json schema from v1.4 to v1.5 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * bump to syft v0.91.0 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * upgrade go-setup action to v4 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove asset upload from release workflow Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> 2023-09-20 20:39:23 +00:00
			`## Updating`

			You will need to go to https://github.com/CycloneDX/specification/blob/1.5/schema and download the latest `bom-#.#.xsd` and `spdx.xsd`.

			Additionally, for `xmllint` to function you will need to patch the bom schema with the location to the SPDX schema by changing:

			```xml
			`<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>`
			```

			`To:`
			```xml
			`<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>`
			```