Merge pull request #230 from jkowalleck/v1.5-schemaParser-AJV

fix JSON schema issues found by AJV

Author: stevespringett

.github/workflows/js.yml

@@ -0,0 +1,32 @@
+# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
+
+name: JS CI
+
+on: [push, pull_request, workflow_dispatch]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
+defaults:
+  run:
+    working-directory: tools/src/test/js
+
+jobs:
+  test:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v3
+      - name: Setup Node.js
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20.x'
+      - name: Install Depenencies
+        run: npm install
+      - name: Run test 
+        run: npm test

schema/bom-1.5.schema.json

@@ -16,7 +16,6 @@
               "type": "array",
               "title": "Signature",
               "description": "Unique top level property for Multiple Signatures. (multisignature)",
-              "additionalItems": false,
               "items": {"$ref": "#/definitions/signer"}
             }
           }
@@ -28,7 +27,6 @@
               "type": "array",
               "title": "Signature",
               "description": "Unique top level property for Signature Chains. (signaturechain)",
-              "additionalItems": false,
               "items": {"$ref": "#/definitions/signer"}
             }
           }
@@ -94,7 +92,6 @@
           "type": "array",
           "title": "Certificate path",
           "description": "Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the signature certificate. The certificate path must be contiguous but is not required to be complete.",
-          "additionalItems": false,
           "items": {
             "type": "string"
           }
@@ -103,7 +100,6 @@
           "type": "array",
           "title": "Excludes",
           "description": "Optional. Array holding the names of one or more application level properties that must be excluded from the signature process. Note that the \"excludes\" property itself, must also be excluded from the signature process. Since both the \"excludes\" property and the associated data it points to are unsigned, a conforming JSF implementation must provide options for specifying which properties to accept.",
-          "additionalItems": false,
           "items": {
             "type": "string"
           }

schema/jsf-0.82.schema.json

@@ -0,0 +1,2 @@
+/node_modules/
+/package-lock.json

tools/src/test/js/.gitignore

@@ -0,0 +1,21 @@
+# validate the JSON schema with `AJV`
+
+uses https://ajv.js.org/
+for validation of a schema.
+
+## requirements
+
+* node >=16
+
+## setup
+
+```shell
+npm install
+```
+
+## usage
+
+```shell
+npm test
+```
+

tools/src/test/js/README.md

@@ -0,0 +1,113 @@
+"use strict";
+
+import assert from 'assert'
+import {readFile} from 'fs/promises'
+import {dirname, basename, join} from 'path'
+import {fileURLToPath} from 'url'
+
+import Ajv from 'ajv'
+import addFormats from 'ajv-formats'
+import addFormats2019 from 'ajv-formats-draft2019'
+import {glob} from 'glob'
+
+// region config
+
+const bomSchemasGlob = 'bom-*.schema.json'
+const schemaDir = join(dirname(fileURLToPath(import.meta.url)), '..', '..', '..', '..', 'schema')
+
+// endregion config
+
+const [spdxSchema, jsfSchema, bomSchemas] = await Promise.all([
+    readFile(join(schemaDir, 'spdx.schema.json'), 'utf-8').then(JSON.parse),
+    readFile(join(schemaDir, 'jsf-0.82.schema.json'), 'utf-8').then(JSON.parse),
+    glob(join(schemaDir, bomSchemasGlob)).then(l => l.sort())
+])
+assert.notStrictEqual(bomSchemas.length, 0)
+
+/**
+ * @param {boolean|"log"} strict
+ * @return {Ajv}
+ */
+function getAjv(strict) {
+    // see https://ajv.js.org/options.html
+    const ajv = new Ajv({
+        strict: strict,
+        strictSchema: strict,
+        strictNumbers: strict,
+        strictTypes: strict,
+        strictTuples: strict,
+        /* This parser has issues with the oneOf-required in
+         * `{ type: 'object', oneOf:[{required:['a']},{required:['b']}], properties:{a:{...},b:{...}} }`
+         * So  `strictRequired` must be `false` tor our schema files.
+         *
+         * This is a known and expected behaviour.
+         * see https://ajv.js.org/strict-mode.html#defined-required-properties
+         * > Property defined in parent schema
+         * > There are cases when property defined in the parent schema will not be taken into account.
+         */
+        strictRequired: false,
+        validateFormats: true,
+        allowMatchingProperties: true,
+        addUsedSchema: false,
+        schemas: {
+            'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema,
+            'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema
+        }
+    });
+    addFormats(ajv)
+    addFormats2019(ajv, {formats: ['idn-email']})
+    // there is just no working implementation for format "iri-reference"
+    // see https://github.com/luzlab/ajv-formats-draft2019/issues/22
+    ajv.addFormat('iri-reference', true)
+    return ajv
+}
+
+let errCnt = 0
+
+for (const bomSchemaFile of bomSchemas) {
+    console.log('\n> SchemaFile: ', bomSchemaFile);
+    const v = /^bom-(\d)\.(\d)/.exec(basename(bomSchemaFile)) ?? []
+    if (!v[0]) {
+        // test match failed
+        console.log('> Skipped.')
+        continue
+    }
+
+    const cdxVersion = [Number(v[1]), Number(v[2])]
+    const strict = cdxVersion >= [1, 5]
+        ? true
+        : 'log'
+    console.debug('> strict: ', strict)
+    const ajv = getAjv(strict)
+
+    if (cdxVersion[0] === 1 &&  cdxVersion[1] === 2) {
+        // CycloneDX 1.2 had a wrong undefined format `string`.
+        // Let's ignore this format only for this special version.
+        ajv.addFormat('string', true)
+    }
+
+    let bomSchema
+    try {
+        bomSchema = await readFile(bomSchemaFile, 'utf-8').then(JSON.parse)
+    } catch (err) {
+        ++errCnt
+        console.error('!!! JSON DECODE ERROR:', err)
+        continue
+    }
+
+    console.group(`> compile schema, log warnings ...`)
+    try {
+        ajv.compile(bomSchema)
+    } catch (err) {
+        ++errCnt
+        console.groupEnd()
+        console.error(`!!! SCHEMA ERROR: ${err}`)
+        continue
+    }
+    console.groupEnd()
+    console.log('> SCHEMA OK.')
+}
+
+// Exit statuses should be in the range 0 to 254.
+// The status 0 is used to terminate the program successfully.
+process.exitCode = Math.min(errCnt, 254)

tools/src/test/js/json-schema-lint-tests.js

@@ -0,0 +1,21 @@
+{
+  "private": true,
+  "type": "module",
+  "engines": {
+    "node": ">=16"
+  },
+  "dependencies": {
+    "ajv": "^8.12.0",
+    "ajv-formats": "^2.1.1",
+    "ajv-formats-draft2019": "^1.6.1",
+    "glob": "^10.2.6",
+    "npm-run-all": "^4.1.5"
+  },
+  "devDependencies": {
+    "@types/node": ">=16"
+  },
+  "scripts": {
+    "test": "run-s test:*",
+    "test:json-schema-lint": "node -- json-schema-lint-tests.js"
+  }
+}