mirror of
https://github.com/anchore/grype
synced 2024-09-20 14:31:59 +00:00
18241e8986
* bump syft to main Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update cyclonedx schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * allow for pkg type exceptions for github actions and workflows Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update cyclonedx json schema from v1.4 to v1.5 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * bump to syft v0.91.0 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * upgrade go-setup action to v4 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove asset upload from release workflow Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
20 lines
No EOL
846 B
Markdown
20 lines
No EOL
846 B
Markdown
# CycloneDX Schemas
|
|
|
|
`grype` generates a CycloneDX output. This validation is similar to what is done in `syft`, validating output against CycloneDX schemas.
|
|
|
|
Validation is done with `xmllint`, which requires a copy of all schemas because it can't work with HTTP references. The schemas are modified to reference local copies of dependent schemas.
|
|
|
|
## Updating
|
|
|
|
You will need to go to https://github.com/CycloneDX/specification/blob/1.5/schema and download the latest `bom-#.#.xsd` and `spdx.xsd`.
|
|
|
|
Additionally, for `xmllint` to function you will need to patch the bom schema with the location to the SPDX schema by changing:
|
|
|
|
```xml
|
|
<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
|
|
```
|
|
|
|
To:
|
|
```xml
|
|
<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
|
|
``` |