mirror of
https://github.com/anchore/grype
synced 2024-09-20 06:21:56 +00:00
18241e8986
* bump syft to main Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update cyclonedx schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * allow for pkg type exceptions for github actions and workflows Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update cyclonedx json schema from v1.4 to v1.5 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * bump to syft v0.91.0 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * upgrade go-setup action to v4 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove asset upload from release workflow Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| cyclonedx.json | ||
| cyclonedx.xsd | ||
| Makefile | ||
| README.md | ||
| spdx.xsd | ||
CycloneDX Schemas
grype generates a CycloneDX output. This validation is similar to what is done in syft, validating output against CycloneDX schemas.
Validation is done with xmllint, which requires a copy of all schemas because it can't work with HTTP references. The schemas are modified to reference local copies of dependent schemas.
Updating
You will need to go to https://github.com/CycloneDX/specification/blob/1.5/schema and download the latest bom-#.#.xsd and spdx.xsd.
Additionally, for xmllint to function you will need to patch the bom schema with the location to the SPDX schema by changing:
<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
To:
<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>