XML serialization of components with authors results in invalid CycloneDX SBOM

[MarcelBochtler]

When using cyclonedx-core-java to write a CycloneDX SBOM as an XML, the resulting SBOM is invalid.

Expected:

  <components>
    <component type="library" bom-ref="Maven:me.xdrop:fuzzywuzzy:1.4.0">
      <authors>
        <author>
          <name>Panayiotis P</name>
        </author>
      </authors>
    </component>
  </components>

Actual:

  <components>
    <component type="library" bom-ref="Maven:me.xdrop:fuzzywuzzy:1.4.0">
      <authors>
        <authors>
          <name>Panayiotis P</name>
        </authors>
      </authors>
    </component>
  </components>

Note the plural of authors in the nested tag.

The spec, and also the cyclonedx-cli show that the nested block should be author instead of authors.

We discovered this when generating CycloneDX reports using ORT, which uses cyclonedx-core-java.
In ORT I wrote a test to reproduce this issue: oss-review-toolkit/ort#10271.

[sschuberth]

Any clue what's going wrong here, @mr-zepol?

[mr-zepol]

Any clue what's going wrong here, @mr-zepol?

I would take a look at this

[mr-zepol]

Any clue what's going wrong here, @mr-zepol?

I think I found the reason, it's because in the spec for previous reasons we have author as a single object String, and with 1.6 authors (now a list) was introduced and the serializer gets confused.

I will see if there's an easy way to fix this keeping backwards compatibility.

[mnonnenmacher]

@mr-zepol Did you have a chance to take a look?

[MarcelBochtler]

@mr-zepol Do you have an update?

[sschuberth]

Just to note this has not been fixed with CycloneDX 11.0.0.