Merge pull request #83 from CycloneDX/validation

Add validate command for SBOM validation

Author: coderpatros

README.md

@@ -18,6 +18,7 @@ Commands:
   convert                       Convert between different SBOM formats
   diff <from-file> <to-file>    Generate an SBOM diff
   merge                         Merge two or more SBOMs
+  validate                      Validate an SBOM
 ```
 
 The CycloneDX CLI tool currently supports SBOM analysis, diffing, merging and format conversions.
@@ -94,6 +95,21 @@ Options:
   --component-versions                       Report component versions that have been added, removed or modified.
 ```
 
+## Validate Command
+
+```
+validate:
+  Validate an SBOM
+
+Usage:
+  cyclonedx validate [options]
+
+Options:
+  --input-file <input-file>                                                    Input SBOM filename, will read from stdin if no value provided.
+  --input-format <autodetect|json|json_v1_2|xml|xml_v1_0|xml_v1_1|xml_v1_2>    Specify input file format.
+  --fail-on-errors                                                             Fail on validation errors (return a non-zero exit code)
+```
+
 ## Docker Image
 
 The CycloneDX CLI tool can also be run using docker `docker run cyclonedx/cyclonedx-cli`.

cyclonedx/Commands/ValidateCommand.cs

@@ -0,0 +1,213 @@
+using System;
+using System.Collections.Generic;
+using System.CommandLine;
+using System.CommandLine.Invocation;
+using System.IO;
+using System.Linq;
+using System.Reflection;
+using System.Text;
+using System.Text.Json;
+using System.Threading.Tasks;
+using System.Xml;
+using System.Xml.Schema;
+using System.Xml.XPath;
+using Json.Schema;
+using CycloneDX.Models.v1_2;
+using CycloneDX.Json;
+using CycloneDX.CLI.Commands;
+using CycloneDX.CLI.Models;
+
+namespace CycloneDX.CLI
+{
+    internal class ValidateCommand
+    {
+        public enum InputFormat
+        {
+            autodetect,
+            json,
+            json_v1_2,
+            xml,
+            xml_v1_2,
+            xml_v1_1,
+            xml_v1_0,
+        }
+
+        public class Options
+        {
+            public string InputFile { get; set; }
+            public InputFormat InputFormat { get; set; }
+            public bool FailOnErrors { get; set; }
+        }
+
+        internal static void Configure(RootCommand rootCommand)
+        {
+            var subCommand = new Command("validate", "Validate an SBOM");
+            subCommand.Add(new Option<string>("--input-file", "Input SBOM filename, will read from stdin if no value provided."));
+            subCommand.Add(new Option<InputFormat>("--input-format", "Specify input file format."));
+            subCommand.Add(new Option<bool>("--fail-on-errors", "Fail on validation errors (return a non-zero exit code)"));
+            subCommand.Handler = CommandHandler.Create<Options>(Validate);
+            rootCommand.Add(subCommand);
+        }
+
+        public static async Task<int> Validate(Options options)
+        {
+            ValidateInputFormat(options);
+            if (options.InputFormat == InputFormat.autodetect)
+            {
+                Console.Error.WriteLine("Unable to auto-detect input format");
+                return (int)ExitCode.ParameterValidationError;
+            }
+
+            var inputBom = ReadInput(options);
+            if (inputBom == null)
+            {
+                Console.Error.WriteLine("Error reading input, you must specify a value for --input-file or pipe in content");
+                return (int)ExitCode.IOError;
+            }
+
+            var validated = false;
+
+            if (options.InputFormat.ToString().StartsWith("json"))
+            {
+                Console.WriteLine("Validating JSON SBOM...");
+                validated = ValidateJson(options, inputBom);
+            }
+            else if (options.InputFormat.ToString().StartsWith("xml"))
+            {
+                Console.WriteLine("Validating XML SBOM...");
+                validated = ValidateXml(options, inputBom);
+            }
+
+            if (options.FailOnErrors && !validated)
+            {
+                return (int)ExitCode.OkFail;
+            }
+
+            return (int)ExitCode.Ok;
+        }
+
+        static void ValidateInputFormat(Options options)
+        {
+            if (options.InputFormat == InputFormat.autodetect && !string.IsNullOrEmpty(options.InputFile))
+            {
+                if (options.InputFile.EndsWith(".json"))
+                {
+                    options.InputFormat = InputFormat.json;
+                }
+                else if (options.InputFile.EndsWith(".xml"))
+                {
+                    options.InputFormat = InputFormat.xml;
+                }
+            }
+            
+            if (options.InputFormat == InputFormat.json)
+            {
+                options.InputFormat = InputFormat.json_v1_2;
+            }
+            else if (options.InputFormat == InputFormat.xml)
+            {
+                options.InputFormat = InputFormat.xml_v1_2;
+            }
+        }
+
+        static string ReadInput(Options options)
+        {
+            string inputString = null;
+            if (!string.IsNullOrEmpty(options.InputFile))
+            {
+                inputString = File.ReadAllText(options.InputFile);
+            }
+            else if (Console.IsInputRedirected)
+            {
+                var sb = new StringBuilder();
+                string nextLine;
+                do
+                {
+                    nextLine = Console.ReadLine();
+                    sb.AppendLine(nextLine);
+                } while (nextLine != null);
+                inputString = sb.ToString();
+            }
+            return inputString;
+        }
+
+        static bool ValidateXml(Options options, string sbomContents)
+        {
+            XmlReaderSettings settings = new XmlReaderSettings();
+            var schemaVersion = options.InputFormat.ToString().Substring(5).Replace('_', '.');
+            Console.WriteLine($"Using schema v{schemaVersion}");
+            var schemaDirectory = Path.Join(Path.GetDirectoryName(Assembly.GetEntryAssembly().Location), "Schemas");
+            settings.Schemas.Add(
+                $"http://cyclonedx.org/schema/bom/{schemaVersion}",
+                Path.Join(schemaDirectory, $"bom-{schemaVersion}.xsd"));
+            settings.Schemas.Add(
+                "http://cyclonedx.org/schema/spdx",
+                Path.Join(schemaDirectory, "spdx.xsd"));
+            settings.ValidationType = ValidationType.Schema;
+            
+            var stream = new MemoryStream();
+            var writer = new StreamWriter(stream);
+            writer.Write(sbomContents);
+            writer.Flush();
+            stream.Position = 0;
+
+            XmlReader reader = XmlReader.Create(stream, settings);
+            XmlDocument document = new XmlDocument();
+
+            try
+            {
+                document.Load(reader);
+
+                Console.WriteLine("SBOM successfully validated");
+                return true;
+            }
+            catch (XmlSchemaValidationException exc)
+            {
+                var lineInfo = ((IXmlLineInfo)reader);
+                if (lineInfo.HasLineInfo()) {
+                    Console.Error.WriteLine($"Validation failed at line number {lineInfo.LineNumber} and position {lineInfo.LinePosition}: {exc.Message}");
+                }
+                else
+                {
+                    Console.Error.WriteLine($"Validation failed at position {stream.Position}: {exc.Message}");
+                }
+                return false;
+            }
+        }
+
+        static bool ValidateJson(Options options, string sbomContents)
+        {
+            var schemaVersion = options.InputFormat.ToString().Substring(6).Replace('_', '.');
+            Console.WriteLine($"Using schema v{schemaVersion}");
+            var schemaDirectory = Path.Join(Path.GetDirectoryName(Assembly.GetEntryAssembly().Location), "Schemas");
+            var schemaFilename = Path.Join(schemaDirectory, $"bom-{schemaVersion}.schema.json");
+            var spdxFilename = Path.Join(schemaDirectory, $"spdx.schema.json");
+            var schemaContent = File.ReadAllText(schemaFilename);
+            var spdxSchemaContent = File.ReadAllText(spdxFilename);
+
+            var schema = JsonSchema.FromText(schemaContent);
+            var spdxSchema = JsonSchema.FromText(spdxSchemaContent);
+
+            SchemaRegistry.Global.Register(new Uri("file://spdx.schema.json"), spdxSchema);
+
+            var jsonDocument = JsonDocument.Parse(sbomContents);
+            var validationOptions = new ValidationOptions
+            {
+                OutputFormat = OutputFormat.Detailed
+            };
+
+            var result = schema.Validate(jsonDocument.RootElement, validationOptions);
+            if (result.IsValid)
+            {
+                Console.WriteLine("SBOM successfully validated");
+                return true;
+            }
+            else
+            {
+                Console.WriteLine(result.Message);
+                Console.WriteLine(result.SchemaLocation);
+                return false;
+            }
+        }
+    }
+}

cyclonedx/ExitCode.cs

@@ -11,6 +11,8 @@ namespace CycloneDX.CLI
     public enum ExitCode
     {
         Ok,
+        OkFail,
+        IOError,
         ParameterValidationError,
         UnsupportedFormat
     }

cyclonedx/Program.cs

@@ -31,6 +31,7 @@ public static async Task<int> Main(string[] args)
             ConfigureConvertCommand(rootCommand);
             ConfigureDiffCommand(rootCommand);
             ConfigureMergeCommand(rootCommand);
+            ValidateCommand.Configure(rootCommand);
 
             return await rootCommand.InvokeAsync(args);
         }